{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# **MITRE ATT&CK API BASICS**: Python Client\n",
    "------------------"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Import ATTACK API Client"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 1,
   "metadata": {},
   "outputs": [],
   "source": [
    "from attackcti import attack_client"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Import Extra Libraries"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 2,
   "metadata": {},
   "outputs": [],
   "source": [
    "from pandas import *\n",
    "import json"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 3,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "'1.1.2'"
      ]
     },
     "execution_count": 3,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "pandas.__version__"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Initialize ATT&CK Client Variable"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 4,
   "metadata": {},
   "outputs": [],
   "source": [
    "lift = attack_client()"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## **Collect (Enterprise ATT&CK, Pre-ATT&CK & Mobile ATT&CK)**\n",
    "* I usually collect all the stix object types available from all the ATT&CK Matrices first when I want to analyze ATT&CK's data.\n",
    "* In this section, we will collect everything from Enterprise ATT&CK, PRE-ATT&CK and Mobile ATT&CK via three functions that query ATT&CK content available in STIX™ 2.0 format via its own public TAXII™ 2.0 server:\n",
    "  * get_enterprise()\n",
    "  * get_pre()\n",
    "  * get_mobile()"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Collect ALL Enterprise ATT&CK (TAXII)**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 5,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "CPU times: user 2.75 s, sys: 107 ms, total: 2.86 s\n",
      "Wall time: 5.05 s\n"
     ]
    }
   ],
   "source": [
    "%time all_enterprise = lift.get_enterprise()"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Collect ALL PRE-ATT&CK (TAXII)**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 6,
   "metadata": {},
   "outputs": [
    {
     "name": "stderr",
     "output_type": "stream",
     "text": [
      "/usr/local/lib/python3.8/site-packages/attackcti/attack_api.py:426: UserWarning: PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application\n",
      "  warnings.warn(\"PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application\")\n"
     ]
    },
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "CPU times: user 124 ms, sys: 9.77 ms, total: 133 ms\n",
      "Wall time: 539 ms\n"
     ]
    }
   ],
   "source": [
    "%time all_pre = lift.get_pre()"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Collect ALL Mobile ATT&CK (TAXII)**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 7,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "CPU times: user 300 ms, sys: 16.7 ms, total: 317 ms\n",
      "Wall time: 766 ms\n"
     ]
    }
   ],
   "source": [
    "%time all_mobile = lift.get_mobile()"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## **Collect ALL (It runs All 3 previous functions and collects all the results)**"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "The **get_stix_objects()** function returns a dictionary with all the stix object types from all matrices:\n",
    "* techniques\n",
    "* mitigations\n",
    "* groups\n",
    "* malware\n",
    "* tools\n",
    "* relationships"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 8,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "CPU times: user 2min 48s, sys: 823 ms, total: 2min 49s\n",
      "Wall time: 2min 54s\n"
     ]
    }
   ],
   "source": [
    "%time all_attack = lift.get_stix_objects()"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 9,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "dict"
      ]
     },
     "execution_count": 9,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "type(all_attack)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Techniques from ATT&CK Results (Locally - STIX format)\n",
    "* The results of this function shows every single technique across the whole ATT&CK framework without their mitigations information"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 10,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Techniques in ATT&CK\n",
      "1024\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Techniques in ATT&CK\")\n",
    "print(len(all_attack['techniques']))"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "* By default, the data returned by the available functions in the attackcti library is of type **stix2**\n",
    "* However, if you want to interact with libraries such as **Pandas**, it needs to be of type **dict**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 11,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created</th>\n",
       "      <th>name</th>\n",
       "      <th>x_mitre_data_sources</th>\n",
       "      <th>x_mitre_platforms</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>2020-10-20T00:09:33.072Z</td>\n",
       "      <td>Network Device CLI</td>\n",
       "      <td>[Network device logs, Network device run-time ...</td>\n",
       "      <td>[Network]</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>2020-10-20T00:08:21.745Z</td>\n",
       "      <td>Network Device Configuration Dump</td>\n",
       "      <td>[Netflow/Enclave netflow, Network protocol ana...</td>\n",
       "      <td>[Network]</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>2020-10-20T00:06:56.180Z</td>\n",
       "      <td>TFTP Boot</td>\n",
       "      <td>[Network device run-time memory, Network devic...</td>\n",
       "      <td>[Network]</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>2020-10-20T00:05:48.790Z</td>\n",
       "      <td>ROMMONkit</td>\n",
       "      <td>[File monitoring, Netflow/Enclave netflow, Net...</td>\n",
       "      <td>[Network]</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>4</th>\n",
       "      <td>2020-10-19T23:51:05.953Z</td>\n",
       "      <td>SNMP (MIB Dump)</td>\n",
       "      <td>[Netflow/Enclave netflow, Network protocol ana...</td>\n",
       "      <td>[Network]</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                    created                               name  \\\n",
       "0  2020-10-20T00:09:33.072Z                 Network Device CLI   \n",
       "1  2020-10-20T00:08:21.745Z  Network Device Configuration Dump   \n",
       "2  2020-10-20T00:06:56.180Z                          TFTP Boot   \n",
       "3  2020-10-20T00:05:48.790Z                          ROMMONkit   \n",
       "4  2020-10-19T23:51:05.953Z                    SNMP (MIB Dump)   \n",
       "\n",
       "                                x_mitre_data_sources x_mitre_platforms  \n",
       "0  [Network device logs, Network device run-time ...         [Network]  \n",
       "1  [Netflow/Enclave netflow, Network protocol ana...         [Network]  \n",
       "2  [Network device run-time memory, Network devic...         [Network]  \n",
       "3  [File monitoring, Netflow/Enclave netflow, Net...         [Network]  \n",
       "4  [Netflow/Enclave netflow, Network protocol ana...         [Network]  "
      ]
     },
     "execution_count": 11,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "techniques = []\n",
    "for t in all_attack['techniques']:\n",
    "    techniques.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(techniques)\n",
    "df.reindex(['created','name', 'x_mitre_data_sources', 'x_mitre_platforms'], axis=1)[0:5]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Showing the schema of Techniques**"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "This schema covers techniques from Enterprise, PRE and Mobile ATT&CK"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 12,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "['id',\n",
       " 'description',\n",
       " 'name',\n",
       " 'created_by_ref',\n",
       " 'object_marking_refs',\n",
       " 'external_references',\n",
       " 'type',\n",
       " 'kill_chain_phases',\n",
       " 'modified',\n",
       " 'created',\n",
       " 'x_mitre_data_sources',\n",
       " 'x_mitre_platforms',\n",
       " 'x_mitre_is_subtechnique',\n",
       " 'x_mitre_version',\n",
       " 'x_mitre_detection',\n",
       " 'x_mitre_permissions_required',\n",
       " 'x_mitre_defense_bypassed',\n",
       " 'x_mitre_contributors',\n",
       " 'x_mitre_system_requirements',\n",
       " 'x_mitre_network_requirements',\n",
       " 'x_mitre_effective_permissions',\n",
       " 'x_mitre_remote_support',\n",
       " 'x_mitre_impact_type',\n",
       " 'revoked',\n",
       " 'x_mitre_deprecated',\n",
       " 'x_mitre_old_attack_id',\n",
       " 'x_mitre_difficulty_for_adversary_explanation',\n",
       " 'x_mitre_difficulty_for_adversary',\n",
       " 'x_mitre_detectable_by_common_defenses_explanation',\n",
       " 'x_mitre_detectable_by_common_defenses',\n",
       " 'x_mitre_tactic_type']"
      ]
     },
     "execution_count": 12,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "list(df)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Showing one technique example**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 13,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "{'id': 'attack-pattern--818302b2-d640-477b-bf88-873120ce85c4',\n",
       " 'description': 'Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. \\n\\nScripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or secure shell (SSH).\\n\\nAdversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection. (Citation: Cisco Synful Knock Evolution)',\n",
       " 'name': 'Network Device CLI',\n",
       " 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n",
       " 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n",
       " 'external_references': [{'source_name': 'mitre-attack',\n",
       "   'external_id': 'T1059.008',\n",
       "   'url': 'https://attack.mitre.org/techniques/T1059/008'},\n",
       "  {'source_name': 'Cisco Synful Knock Evolution',\n",
       "   'url': 'https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices',\n",
       "   'description': 'Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.'},\n",
       "  {'source_name': 'Cisco IOS Software Integrity Assurance - Command History',\n",
       "   'url': 'https://tools.cisco.com/security/center/resources/integrity_assurance.html#23',\n",
       "   'description': 'Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command History. Retrieved October 21, 2020.'}],\n",
       " 'type': 'attack-pattern',\n",
       " 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',\n",
       "   'phase_name': 'execution'}],\n",
       " 'modified': '2020-10-22T16:43:38.388Z',\n",
       " 'created': '2020-10-20T00:09:33.072Z',\n",
       " 'x_mitre_data_sources': ['Network device logs',\n",
       "  'Network device run-time memory',\n",
       "  'Network device command history',\n",
       "  'Network device configuration'],\n",
       " 'x_mitre_platforms': ['Network'],\n",
       " 'x_mitre_is_subtechnique': True,\n",
       " 'x_mitre_version': '1.0',\n",
       " 'x_mitre_detection': 'Consider reviewing command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration.(Citation: Cisco IOS Software Integrity Assurance - Command History)\\n\\nConsider comparing a copy of the network device configuration against a known-good version to discover unauthorized changes to the command interpreter. The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor.',\n",
       " 'x_mitre_permissions_required': ['Administrator', 'User']}"
      ]
     },
     "execution_count": 13,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "techniques[0]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Mitigations from ATT&CK Results (Locally)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 14,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Mitigations in ATT&CK\n",
      "296\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Mitigations in ATT&CK\")\n",
    "print(len(all_attack['mitigations']))"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "* Remember, we need to transform our results to dictionaries to be able to use them as pandas dataframes"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 15,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>external_references</th>\n",
       "      <th>description</th>\n",
       "      <th>name</th>\n",
       "      <th>id</th>\n",
       "      <th>type</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_deprecated</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>This category is used for any applicable mitig...</td>\n",
       "      <td>Pre-compromise</td>\n",
       "      <td>course-of-action--78bb71be-92b4-46de-acd6-5f99...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>2020-10-20T19:52:32.439Z</td>\n",
       "      <td>2020-10-19T14:57:58.771Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>This category is to associate techniques that ...</td>\n",
       "      <td>Do Not Mitigate</td>\n",
       "      <td>course-of-action--787fb64d-c87b-4ee5-a341-0ef1...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>2019-07-23T14:44:24.727Z</td>\n",
       "      <td>2019-07-19T14:58:42.715Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>Implement configuration changes to software (o...</td>\n",
       "      <td>Software Configuration</td>\n",
       "      <td>course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>2020-03-31T13:11:09.471Z</td>\n",
       "      <td>2019-07-19T14:40:23.529Z</td>\n",
       "      <td>1.1</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>Take and store data backups from end user syst...</td>\n",
       "      <td>Data Backup</td>\n",
       "      <td>course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>2020-03-31T13:11:28.201Z</td>\n",
       "      <td>2019-07-19T14:33:33.543Z</td>\n",
       "      <td>1.1</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'source_name': 'mitre-attack', 'external_id'...   \n",
       "1  [{'source_name': 'mitre-attack', 'external_id'...   \n",
       "2  [{'source_name': 'mitre-attack', 'external_id'...   \n",
       "3  [{'source_name': 'mitre-attack', 'external_id'...   \n",
       "\n",
       "                                         description                    name  \\\n",
       "0  This category is used for any applicable mitig...          Pre-compromise   \n",
       "1  This category is to associate techniques that ...         Do Not Mitigate   \n",
       "2  Implement configuration changes to software (o...  Software Configuration   \n",
       "3  Take and store data backups from end user syst...             Data Backup   \n",
       "\n",
       "                                                  id              type  \\\n",
       "0  course-of-action--78bb71be-92b4-46de-acd6-5f99...  course-of-action   \n",
       "1  course-of-action--787fb64d-c87b-4ee5-a341-0ef1...  course-of-action   \n",
       "2  course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8...  course-of-action   \n",
       "3  course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73...  course-of-action   \n",
       "\n",
       "                   modified                   created x_mitre_version  \\\n",
       "0  2020-10-20T19:52:32.439Z  2020-10-19T14:57:58.771Z             1.0   \n",
       "1  2019-07-23T14:44:24.727Z  2019-07-19T14:58:42.715Z             1.0   \n",
       "2  2020-03-31T13:11:09.471Z  2019-07-19T14:40:23.529Z             1.1   \n",
       "3  2020-03-31T13:11:28.201Z  2019-07-19T14:33:33.543Z             1.1   \n",
       "\n",
       "  x_mitre_deprecated x_mitre_old_attack_id  \n",
       "0                NaN                   NaN  \n",
       "1                NaN                   NaN  \n",
       "2                NaN                   NaN  \n",
       "3                NaN                   NaN  "
      ]
     },
     "execution_count": 15,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "mitigations = []\n",
    "for t in all_attack['mitigations']:\n",
    "    mitigations.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(mitigations)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 16,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "['created_by_ref',\n",
       " 'object_marking_refs',\n",
       " 'external_references',\n",
       " 'description',\n",
       " 'name',\n",
       " 'id',\n",
       " 'type',\n",
       " 'modified',\n",
       " 'created',\n",
       " 'x_mitre_version',\n",
       " 'x_mitre_deprecated',\n",
       " 'x_mitre_old_attack_id']"
      ]
     },
     "execution_count": 16,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "list(df)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Groups from ATT&CK Results (Locally)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 17,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Groups in ATT&CK\n",
      "113\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Groups in ATT&CK\")\n",
    "print(len(all_attack['groups']))"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "* Once again, we need to transform our results to dictionaries to be able to use them as pandas dataframes"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 18,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>external_references</th>\n",
       "      <th>name</th>\n",
       "      <th>description</th>\n",
       "      <th>type</th>\n",
       "      <th>id</th>\n",
       "      <th>aliases</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_contributors</th>\n",
       "      <th>revoked</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'G0115', 'source_name': 'mitr...</td>\n",
       "      <td>GOLD SOUTHFIELD</td>\n",
       "      <td>[GOLD SOUTHFIELD](https://attack.mitre.org/gro...</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a...</td>\n",
       "      <td>[GOLD SOUTHFIELD]</td>\n",
       "      <td>2020-10-06T15:32:20.089Z</td>\n",
       "      <td>2020-09-22T19:41:27.845Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'G0114', 'source_name': 'mitr...</td>\n",
       "      <td>Chimera</td>\n",
       "      <td>[Chimera](https://attack.mitre.org/groups/G011...</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>intrusion-set--8c1f0187-0826-4320-bddc-5f326cf...</td>\n",
       "      <td>[Chimera]</td>\n",
       "      <td>2020-10-05T20:59:57.694Z</td>\n",
       "      <td>2020-08-24T17:01:55.842Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'G0112', 'source_name': 'mitr...</td>\n",
       "      <td>Windshift</td>\n",
       "      <td>[Windshift](https://attack.mitre.org/groups/G0...</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a...</td>\n",
       "      <td>[Windshift, Bahamut]</td>\n",
       "      <td>2020-06-26T13:46:14.122Z</td>\n",
       "      <td>2020-06-25T17:16:39.168Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'G0108', 'source_name': 'mitr...</td>\n",
       "      <td>Blue Mockingbird</td>\n",
       "      <td>[Blue Mockingbird](https://attack.mitre.org/gr...</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>intrusion-set--73a80fab-2aa3-48e0-a4d0-3a48282...</td>\n",
       "      <td>[Blue Mockingbird]</td>\n",
       "      <td>2020-06-25T13:59:09.596Z</td>\n",
       "      <td>2020-05-26T20:09:39.139Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Tony Lambert, Red Canary]</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                 external_references              name  \\\n",
       "0  [{'external_id': 'G0115', 'source_name': 'mitr...   GOLD SOUTHFIELD   \n",
       "1  [{'external_id': 'G0114', 'source_name': 'mitr...           Chimera   \n",
       "2  [{'external_id': 'G0112', 'source_name': 'mitr...         Windshift   \n",
       "3  [{'external_id': 'G0108', 'source_name': 'mitr...  Blue Mockingbird   \n",
       "\n",
       "                                         description           type  \\\n",
       "0  [GOLD SOUTHFIELD](https://attack.mitre.org/gro...  intrusion-set   \n",
       "1  [Chimera](https://attack.mitre.org/groups/G011...  intrusion-set   \n",
       "2  [Windshift](https://attack.mitre.org/groups/G0...  intrusion-set   \n",
       "3  [Blue Mockingbird](https://attack.mitre.org/gr...  intrusion-set   \n",
       "\n",
       "                                                  id               aliases  \\\n",
       "0  intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a...     [GOLD SOUTHFIELD]   \n",
       "1  intrusion-set--8c1f0187-0826-4320-bddc-5f326cf...             [Chimera]   \n",
       "2  intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a...  [Windshift, Bahamut]   \n",
       "3  intrusion-set--73a80fab-2aa3-48e0-a4d0-3a48282...    [Blue Mockingbird]   \n",
       "\n",
       "                   modified                   created x_mitre_version  \\\n",
       "0  2020-10-06T15:32:20.089Z  2020-09-22T19:41:27.845Z             1.0   \n",
       "1  2020-10-05T20:59:57.694Z  2020-08-24T17:01:55.842Z             1.0   \n",
       "2  2020-06-26T13:46:14.122Z  2020-06-25T17:16:39.168Z             1.0   \n",
       "3  2020-06-25T13:59:09.596Z  2020-05-26T20:09:39.139Z             1.0   \n",
       "\n",
       "         x_mitre_contributors revoked  \n",
       "0                         NaN     NaN  \n",
       "1                         NaN     NaN  \n",
       "2                         NaN     NaN  \n",
       "3  [Tony Lambert, Red Canary]     NaN  "
      ]
     },
     "execution_count": 18,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "groups = []\n",
    "for t in all_attack['groups']:\n",
    "    groups.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(groups)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Showing the schema of Groups**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 19,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "['created_by_ref',\n",
       " 'object_marking_refs',\n",
       " 'external_references',\n",
       " 'name',\n",
       " 'description',\n",
       " 'type',\n",
       " 'id',\n",
       " 'aliases',\n",
       " 'modified',\n",
       " 'created',\n",
       " 'x_mitre_version',\n",
       " 'x_mitre_contributors',\n",
       " 'revoked']"
      ]
     },
     "execution_count": 19,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "list(df)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Showing one Groups example**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 20,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "{'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n",
       " 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n",
       " 'external_references': [{'external_id': 'G0115',\n",
       "   'source_name': 'mitre-attack',\n",
       "   'url': 'https://attack.mitre.org/groups/G0115'},\n",
       "  {'source_name': 'Secureworks REvil September 2019',\n",
       "   'url': 'https://www.secureworks.com/research/revil-sodinokibi-ransomware',\n",
       "   'description': 'Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.'},\n",
       "  {'source_name': 'Secureworks GandCrab and REvil September 2019',\n",
       "   'url': 'https://www.secureworks.com/blog/revil-the-gandcrab-connection',\n",
       "   'description': 'Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.'},\n",
       "  {'source_name': 'Secureworks GOLD SOUTHFIELD',\n",
       "   'url': 'https://www.secureworks.com/research/threat-profiles/gold-southfield',\n",
       "   'description': 'Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.'}],\n",
       " 'name': 'GOLD SOUTHFIELD',\n",
       " 'description': '[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2019 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)',\n",
       " 'type': 'intrusion-set',\n",
       " 'id': 'intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133',\n",
       " 'aliases': ['GOLD SOUTHFIELD'],\n",
       " 'modified': '2020-10-06T15:32:20.089Z',\n",
       " 'created': '2020-09-22T19:41:27.845Z',\n",
       " 'x_mitre_version': '1.0'}"
      ]
     },
     "execution_count": 20,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "groups[0]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Malware objects from ATT&CK Results (Locally)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 21,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Malware in ATT&CK\n",
      "459\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Malware in ATT&CK\")\n",
    "print(len(all_attack['malware']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 22,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>external_references</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>name</th>\n",
       "      <th>id</th>\n",
       "      <th>type</th>\n",
       "      <th>labels</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_aliases</th>\n",
       "      <th>x_mitre_platforms</th>\n",
       "      <th>x_mitre_contributors</th>\n",
       "      <th>revoked</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>[{'external_id': 'S0519', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[SYNful Knock](https://attack.mitre.org/softwa...</td>\n",
       "      <td>SYNful Knock</td>\n",
       "      <td>malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053</td>\n",
       "      <td>malware</td>\n",
       "      <td>[malware]</td>\n",
       "      <td>2020-10-22T17:35:04.950Z</td>\n",
       "      <td>2020-10-19T16:38:11.279Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[SYNful Knock]</td>\n",
       "      <td>[Network]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>[{'external_id': 'S0516', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[SoreFang](https://attack.mitre.org/software/S...</td>\n",
       "      <td>SoreFang</td>\n",
       "      <td>malware--e33e4603-afab-402d-b2a1-248d435b5fe0</td>\n",
       "      <td>malware</td>\n",
       "      <td>[malware]</td>\n",
       "      <td>2020-10-06T16:10:42.422Z</td>\n",
       "      <td>2020-09-29T19:33:35.122Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[SoreFang]</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>[{'external_id': 'S0515', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[WellMail](https://attack.mitre.org/software/S...</td>\n",
       "      <td>WellMail</td>\n",
       "      <td>malware--959f3b19-2dc8-48d5-8942-c66813a5101a</td>\n",
       "      <td>malware</td>\n",
       "      <td>[malware]</td>\n",
       "      <td>2020-10-09T15:38:41.755Z</td>\n",
       "      <td>2020-09-29T17:48:27.517Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[WellMail]</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>[Josh Campbell, Cyborg Security, @cyb0rgsecur1ty]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>[{'external_id': 'S0514', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[WellMess](https://attack.mitre.org/software/S...</td>\n",
       "      <td>WellMess</td>\n",
       "      <td>malware--3a4197ae-ec63-4162-907b-9a073d1157e4</td>\n",
       "      <td>malware</td>\n",
       "      <td>[malware]</td>\n",
       "      <td>2020-10-09T19:41:25.983Z</td>\n",
       "      <td>2020-09-24T19:39:44.392Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[WellMess]</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>[Daniyal Naeem, @Mrdaniyalnaeem]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                 external_references  \\\n",
       "0  [{'external_id': 'S0519', 'source_name': 'mitr...   \n",
       "1  [{'external_id': 'S0516', 'source_name': 'mitr...   \n",
       "2  [{'external_id': 'S0515', 'source_name': 'mitr...   \n",
       "3  [{'external_id': 'S0514', 'source_name': 'mitr...   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description          name  \\\n",
       "0  [SYNful Knock](https://attack.mitre.org/softwa...  SYNful Knock   \n",
       "1  [SoreFang](https://attack.mitre.org/software/S...      SoreFang   \n",
       "2  [WellMail](https://attack.mitre.org/software/S...      WellMail   \n",
       "3  [WellMess](https://attack.mitre.org/software/S...      WellMess   \n",
       "\n",
       "                                              id     type     labels  \\\n",
       "0  malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053  malware  [malware]   \n",
       "1  malware--e33e4603-afab-402d-b2a1-248d435b5fe0  malware  [malware]   \n",
       "2  malware--959f3b19-2dc8-48d5-8942-c66813a5101a  malware  [malware]   \n",
       "3  malware--3a4197ae-ec63-4162-907b-9a073d1157e4  malware  [malware]   \n",
       "\n",
       "                   modified                   created x_mitre_version  \\\n",
       "0  2020-10-22T17:35:04.950Z  2020-10-19T16:38:11.279Z             1.0   \n",
       "1  2020-10-06T16:10:42.422Z  2020-09-29T19:33:35.122Z             1.0   \n",
       "2  2020-10-09T15:38:41.755Z  2020-09-29T17:48:27.517Z             1.0   \n",
       "3  2020-10-09T19:41:25.983Z  2020-09-24T19:39:44.392Z             1.0   \n",
       "\n",
       "  x_mitre_aliases x_mitre_platforms  \\\n",
       "0  [SYNful Knock]         [Network]   \n",
       "1      [SoreFang]         [Windows]   \n",
       "2      [WellMail]         [Windows]   \n",
       "3      [WellMess]         [Windows]   \n",
       "\n",
       "                                x_mitre_contributors revoked  \\\n",
       "0                                                NaN     NaN   \n",
       "1                                                NaN     NaN   \n",
       "2  [Josh Campbell, Cyborg Security, @cyb0rgsecur1ty]     NaN   \n",
       "3                   [Daniyal Naeem, @Mrdaniyalnaeem]     NaN   \n",
       "\n",
       "  x_mitre_old_attack_id  \n",
       "0                   NaN  \n",
       "1                   NaN  \n",
       "2                   NaN  \n",
       "3                   NaN  "
      ]
     },
     "execution_count": 22,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "malware = []\n",
    "for t in all_attack['malware']:\n",
    "    malware.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(malware)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Showing the schema of Malware**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 23,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "['external_references',\n",
       " 'object_marking_refs',\n",
       " 'created_by_ref',\n",
       " 'description',\n",
       " 'name',\n",
       " 'id',\n",
       " 'type',\n",
       " 'labels',\n",
       " 'modified',\n",
       " 'created',\n",
       " 'x_mitre_version',\n",
       " 'x_mitre_aliases',\n",
       " 'x_mitre_platforms',\n",
       " 'x_mitre_contributors',\n",
       " 'revoked',\n",
       " 'x_mitre_old_attack_id']"
      ]
     },
     "execution_count": 23,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "list(df)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Showing one Malware example**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 24,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "{'external_references': [{'external_id': 'S0519',\n",
       "   'source_name': 'mitre-attack',\n",
       "   'url': 'https://attack.mitre.org/software/S0519'},\n",
       "  {'source_name': 'FireEye - Synful Knock',\n",
       "   'url': 'https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html',\n",
       "   'description': 'Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved October 19, 2020.'},\n",
       "  {'source_name': 'Cisco Synful Knock Evolution',\n",
       "   'url': 'https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices',\n",
       "   'description': 'Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.'}],\n",
       " 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n",
       " 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n",
       " 'description': \"[SYNful Knock](https://attack.mitre.org/software/S0519) is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim's network and provide new capabilities to the adversary.(Citation: FireEye - Synful Knock)(Citation: Cisco Synful Knock Evolution)\",\n",
       " 'name': 'SYNful Knock',\n",
       " 'id': 'malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053',\n",
       " 'type': 'malware',\n",
       " 'labels': ['malware'],\n",
       " 'modified': '2020-10-22T17:35:04.950Z',\n",
       " 'created': '2020-10-19T16:38:11.279Z',\n",
       " 'x_mitre_version': '1.0',\n",
       " 'x_mitre_aliases': ['SYNful Knock'],\n",
       " 'x_mitre_platforms': ['Network']}"
      ]
     },
     "execution_count": 24,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "malware[0]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Tools from ATT&CK Results (Locally)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 25,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Tools in ATT&CK\n",
      "64\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Tools in ATT&CK\")\n",
    "print(len(all_attack['tools']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 26,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>id</th>\n",
       "      <th>name</th>\n",
       "      <th>description</th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>external_references</th>\n",
       "      <th>type</th>\n",
       "      <th>labels</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_aliases</th>\n",
       "      <th>x_mitre_platforms</th>\n",
       "      <th>x_mitre_contributors</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>tool--975737f1-b10d-476f-8bda-3ec26ea57172</td>\n",
       "      <td>MCMD</td>\n",
       "      <td>[MCMD](https://attack.mitre.org/software/S0500...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'S0500', 'source_name': 'mitr...</td>\n",
       "      <td>tool</td>\n",
       "      <td>[tool]</td>\n",
       "      <td>2020-08-20T14:52:23.369Z</td>\n",
       "      <td>2020-08-13T17:15:25.702Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[MCMD]</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>tool--c4810609-7da6-48ec-8057-1b70a7814db0</td>\n",
       "      <td>CrackMapExec</td>\n",
       "      <td>[CrackMapExec](https://attack.mitre.org/softwa...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'S0488', 'source_name': 'mitr...</td>\n",
       "      <td>tool</td>\n",
       "      <td>[tool]</td>\n",
       "      <td>2020-07-29T20:19:40.544Z</td>\n",
       "      <td>2020-07-17T14:23:05.958Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[CrackMapExec]</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4</td>\n",
       "      <td>CARROTBALL</td>\n",
       "      <td>[CARROTBALL](https://attack.mitre.org/software...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'S0465', 'source_name': 'mitr...</td>\n",
       "      <td>tool</td>\n",
       "      <td>[tool]</td>\n",
       "      <td>2020-06-10T14:44:23.055Z</td>\n",
       "      <td>2020-06-02T19:10:29.513Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[CARROTBALL]</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>tool--115f88dd-0618-4389-83cb-98d33ae81848</td>\n",
       "      <td>ShimRatReporter</td>\n",
       "      <td>[ShimRatReporter](https://attack.mitre.org/sof...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'S0445', 'source_name': 'mitr...</td>\n",
       "      <td>tool</td>\n",
       "      <td>[tool]</td>\n",
       "      <td>2020-05-27T22:39:28.701Z</td>\n",
       "      <td>2020-05-12T21:29:48.294Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[ShimRatReporter]</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                           id             name  \\\n",
       "0  tool--975737f1-b10d-476f-8bda-3ec26ea57172             MCMD   \n",
       "1  tool--c4810609-7da6-48ec-8057-1b70a7814db0     CrackMapExec   \n",
       "2  tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4       CARROTBALL   \n",
       "3  tool--115f88dd-0618-4389-83cb-98d33ae81848  ShimRatReporter   \n",
       "\n",
       "                                         description  \\\n",
       "0  [MCMD](https://attack.mitre.org/software/S0500...   \n",
       "1  [CrackMapExec](https://attack.mitre.org/softwa...   \n",
       "2  [CARROTBALL](https://attack.mitre.org/software...   \n",
       "3  [ShimRatReporter](https://attack.mitre.org/sof...   \n",
       "\n",
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                 external_references  type  labels  \\\n",
       "0  [{'external_id': 'S0500', 'source_name': 'mitr...  tool  [tool]   \n",
       "1  [{'external_id': 'S0488', 'source_name': 'mitr...  tool  [tool]   \n",
       "2  [{'external_id': 'S0465', 'source_name': 'mitr...  tool  [tool]   \n",
       "3  [{'external_id': 'S0445', 'source_name': 'mitr...  tool  [tool]   \n",
       "\n",
       "                   modified                   created x_mitre_version  \\\n",
       "0  2020-08-20T14:52:23.369Z  2020-08-13T17:15:25.702Z             1.0   \n",
       "1  2020-07-29T20:19:40.544Z  2020-07-17T14:23:05.958Z             1.0   \n",
       "2  2020-06-10T14:44:23.055Z  2020-06-02T19:10:29.513Z             1.0   \n",
       "3  2020-05-27T22:39:28.701Z  2020-05-12T21:29:48.294Z             1.0   \n",
       "\n",
       "     x_mitre_aliases x_mitre_platforms x_mitre_contributors  \\\n",
       "0             [MCMD]         [Windows]                  NaN   \n",
       "1     [CrackMapExec]         [Windows]                  NaN   \n",
       "2       [CARROTBALL]         [Windows]                  NaN   \n",
       "3  [ShimRatReporter]         [Windows]                  NaN   \n",
       "\n",
       "  x_mitre_old_attack_id  \n",
       "0                   NaN  \n",
       "1                   NaN  \n",
       "2                   NaN  \n",
       "3                   NaN  "
      ]
     },
     "execution_count": 26,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "tools = []\n",
    "for t in all_attack['tools']:\n",
    "    tools.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(tools)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Showing the schema of Tools**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 27,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "['id',\n",
       " 'name',\n",
       " 'description',\n",
       " 'created_by_ref',\n",
       " 'object_marking_refs',\n",
       " 'external_references',\n",
       " 'type',\n",
       " 'labels',\n",
       " 'modified',\n",
       " 'created',\n",
       " 'x_mitre_version',\n",
       " 'x_mitre_aliases',\n",
       " 'x_mitre_platforms',\n",
       " 'x_mitre_contributors',\n",
       " 'x_mitre_old_attack_id']"
      ]
     },
     "execution_count": 27,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "list(df)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Showing one Tool example**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 28,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "{'id': 'tool--975737f1-b10d-476f-8bda-3ec26ea57172',\n",
       " 'name': 'MCMD',\n",
       " 'description': '[MCMD](https://attack.mitre.org/software/S0500) is a remote access tool that provides remote command shell capability used by [Dragonfly 2.0](https://attack.mitre.org/groups/G0074).(Citation: Secureworks MCMD July 2019)',\n",
       " 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n",
       " 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n",
       " 'external_references': [{'external_id': 'S0500',\n",
       "   'source_name': 'mitre-attack',\n",
       "   'url': 'https://attack.mitre.org/software/S0500'},\n",
       "  {'source_name': 'Secureworks MCMD July 2019',\n",
       "   'url': 'https://www.secureworks.com/research/mcmd-malware-analysis',\n",
       "   'description': 'Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.'}],\n",
       " 'type': 'tool',\n",
       " 'labels': ['tool'],\n",
       " 'modified': '2020-08-20T14:52:23.369Z',\n",
       " 'created': '2020-08-13T17:15:25.702Z',\n",
       " 'x_mitre_version': '1.0',\n",
       " 'x_mitre_aliases': ['MCMD'],\n",
       " 'x_mitre_platforms': ['Windows']}"
      ]
     },
     "execution_count": 28,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "tools[0]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Relationships from ATT&CK Results (Locally)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 29,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Relationships in ATT&CK\n",
      "10635\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Relationships in ATT&CK\")\n",
    "print(len(all_attack['relationships']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 30,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>external_references</th>\n",
       "      <th>id</th>\n",
       "      <th>type</th>\n",
       "      <th>created</th>\n",
       "      <th>description</th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>modified</th>\n",
       "      <th>source_ref</th>\n",
       "      <th>relationship_type</th>\n",
       "      <th>target_ref</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...</td>\n",
       "      <td>relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2020-11-10T18:04:03.668Z</td>\n",
       "      <td>(Citation: FireEye KEGTAP SINGLEMALT October 2...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>2020-11-10T18:04:03.668Z</td>\n",
       "      <td>intrusion-set--dd2d9ca6-505b-4860-a604-233685b...</td>\n",
       "      <td>uses</td>\n",
       "      <td>malware--a7881f21-e978-4fe4-af56-92c9416a2616</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...</td>\n",
       "      <td>relationship--c118e50b-4559-4bff-bde5-78aa426f...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2020-11-10T18:04:03.666Z</td>\n",
       "      <td>(Citation: FireEye KEGTAP SINGLEMALT October 2...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>2020-11-10T18:04:03.666Z</td>\n",
       "      <td>intrusion-set--dd2d9ca6-505b-4860-a604-233685b...</td>\n",
       "      <td>uses</td>\n",
       "      <td>tool--afc079f3-c0ea-4096-b75d-3f05338b7f60</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'DFIR Ryuk's Return October 2...</td>\n",
       "      <td>relationship--43b9a1b5-6f95-4c6c-8e1f-59f9049e...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2020-11-10T18:04:03.589Z</td>\n",
       "      <td>(Citation: DFIR Ryuk's Return October 2020)(Ci...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>2020-11-10T18:04:03.589Z</td>\n",
       "      <td>intrusion-set--dd2d9ca6-505b-4860-a604-233685b...</td>\n",
       "      <td>uses</td>\n",
       "      <td>tool--b77b563c-34bb-4fb8-86a3-3694338f7b47</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...</td>\n",
       "      <td>relationship--585842e6-fe9a-4508-8e67-c232f8aa...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2020-11-10T18:04:03.571Z</td>\n",
       "      <td>(Citation: FireEye KEGTAP SINGLEMALT October 2...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>2020-11-10T18:04:03.571Z</td>\n",
       "      <td>intrusion-set--dd2d9ca6-505b-4860-a604-233685b...</td>\n",
       "      <td>uses</td>\n",
       "      <td>tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...   \n",
       "1  [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...   \n",
       "2  [{'source_name': 'DFIR Ryuk's Return October 2...   \n",
       "3  [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...   \n",
       "\n",
       "                                                  id          type  \\\n",
       "0  relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd...  relationship   \n",
       "1  relationship--c118e50b-4559-4bff-bde5-78aa426f...  relationship   \n",
       "2  relationship--43b9a1b5-6f95-4c6c-8e1f-59f9049e...  relationship   \n",
       "3  relationship--585842e6-fe9a-4508-8e67-c232f8aa...  relationship   \n",
       "\n",
       "                    created  \\\n",
       "0  2020-11-10T18:04:03.668Z   \n",
       "1  2020-11-10T18:04:03.666Z   \n",
       "2  2020-11-10T18:04:03.589Z   \n",
       "3  2020-11-10T18:04:03.571Z   \n",
       "\n",
       "                                         description  \\\n",
       "0  (Citation: FireEye KEGTAP SINGLEMALT October 2...   \n",
       "1  (Citation: FireEye KEGTAP SINGLEMALT October 2...   \n",
       "2  (Citation: DFIR Ryuk's Return October 2020)(Ci...   \n",
       "3  (Citation: FireEye KEGTAP SINGLEMALT October 2...   \n",
       "\n",
       "                                   created_by_ref                  modified  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5  2020-11-10T18:04:03.668Z   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5  2020-11-10T18:04:03.666Z   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5  2020-11-10T18:04:03.589Z   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5  2020-11-10T18:04:03.571Z   \n",
       "\n",
       "                                          source_ref relationship_type  \\\n",
       "0  intrusion-set--dd2d9ca6-505b-4860-a604-233685b...              uses   \n",
       "1  intrusion-set--dd2d9ca6-505b-4860-a604-233685b...              uses   \n",
       "2  intrusion-set--dd2d9ca6-505b-4860-a604-233685b...              uses   \n",
       "3  intrusion-set--dd2d9ca6-505b-4860-a604-233685b...              uses   \n",
       "\n",
       "                                      target_ref  \n",
       "0  malware--a7881f21-e978-4fe4-af56-92c9416a2616  \n",
       "1     tool--afc079f3-c0ea-4096-b75d-3f05338b7f60  \n",
       "2     tool--b77b563c-34bb-4fb8-86a3-3694338f7b47  \n",
       "3     tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf  "
      ]
     },
     "execution_count": 30,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "relationships = []\n",
    "for t in all_attack['relationships']:\n",
    "    relationships.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(relationships)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Showing the schema of Relationships**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 31,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "['object_marking_refs',\n",
       " 'external_references',\n",
       " 'id',\n",
       " 'type',\n",
       " 'created',\n",
       " 'description',\n",
       " 'created_by_ref',\n",
       " 'modified',\n",
       " 'source_ref',\n",
       " 'relationship_type',\n",
       " 'target_ref']"
      ]
     },
     "execution_count": 31,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "list(df)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Showing one Relationship example**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 32,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "{'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n",
       " 'external_references': [{'source_name': 'FireEye KEGTAP SINGLEMALT October 2020',\n",
       "   'description': 'Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.',\n",
       "   'url': 'https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html'},\n",
       "  {'source_name': 'DHS/CISA Ransomware Targeting Healthcare October 2020',\n",
       "   'description': 'DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.',\n",
       "   'url': 'https://us-cert.cisa.gov/ncas/alerts/aa20-302a'},\n",
       "  {'source_name': \"DFIR Ryuk's Return October 2020\",\n",
       "   'description': 'The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.',\n",
       "   'url': 'https://thedfirreport.com/2020/10/08/ryuks-return/'},\n",
       "  {'source_name': 'DFIR Ryuk 2 Hour Speed Run November 2020',\n",
       "   'description': 'The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.',\n",
       "   'url': 'https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/'},\n",
       "  {'source_name': 'DFIR Ryuk in 5 Hours October 2020',\n",
       "   'description': 'The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.',\n",
       "   'url': 'https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/'},\n",
       "  {'source_name': 'Sophos New Ryuk Attack October 2020',\n",
       "   'description': 'Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.',\n",
       "   'url': 'https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/'}],\n",
       " 'id': 'relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd06b0',\n",
       " 'type': 'relationship',\n",
       " 'created': '2020-11-10T18:04:03.668Z',\n",
       " 'description': \"(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)(Citation: Sophos New Ryuk Attack October 2020)\",\n",
       " 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n",
       " 'modified': '2020-11-10T18:04:03.668Z',\n",
       " 'source_ref': 'intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7',\n",
       " 'relationship_type': 'uses',\n",
       " 'target_ref': 'malware--a7881f21-e978-4fe4-af56-92c9416a2616'}"
      ]
     },
     "execution_count": 32,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "relationships[0]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Tactics from ATT&CK Results (Locally)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 33,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Tactics in ATT&CK\n",
      "54\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Tactics in ATT&CK\")\n",
    "print(len(all_attack['tactics']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 34,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>external_references</th>\n",
       "      <th>name</th>\n",
       "      <th>description</th>\n",
       "      <th>id</th>\n",
       "      <th>type</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_shortname</th>\n",
       "      <th>x_mitre_deprecated</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'TA0043', 'source_name': 'mit...</td>\n",
       "      <td>Reconnaissance</td>\n",
       "      <td>The adversary is trying to gather information ...</td>\n",
       "      <td>x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd...</td>\n",
       "      <td>x-mitre-tactic</td>\n",
       "      <td>2020-10-18T02:04:50.842Z</td>\n",
       "      <td>2020-10-02T14:48:41.809Z</td>\n",
       "      <td>reconnaissance</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'TA0042', 'source_name': 'mit...</td>\n",
       "      <td>Resource Development</td>\n",
       "      <td>The adversary is trying to establish resources...</td>\n",
       "      <td>x-mitre-tactic--d679bca2-e57d-4935-8650-8031c8...</td>\n",
       "      <td>x-mitre-tactic</td>\n",
       "      <td>2020-09-30T16:31:36.322Z</td>\n",
       "      <td>2020-09-30T16:11:59.650Z</td>\n",
       "      <td>resource-development</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'TA0040', 'source_name': 'mit...</td>\n",
       "      <td>Impact</td>\n",
       "      <td>The adversary is trying to manipulate, interru...</td>\n",
       "      <td>x-mitre-tactic--5569339b-94c2-49ee-afb3-222293...</td>\n",
       "      <td>x-mitre-tactic</td>\n",
       "      <td>2019-07-25T18:42:23.222Z</td>\n",
       "      <td>2019-03-14T18:44:44.639Z</td>\n",
       "      <td>impact</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'TA0005', 'url': 'https://att...</td>\n",
       "      <td>Defense Evasion</td>\n",
       "      <td>The adversary is trying to avoid being detecte...</td>\n",
       "      <td>x-mitre-tactic--78b23412-0651-46d7-a540-170a1c...</td>\n",
       "      <td>x-mitre-tactic</td>\n",
       "      <td>2019-07-19T17:43:23.473Z</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>defense-evasion</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                 external_references                  name  \\\n",
       "0  [{'external_id': 'TA0043', 'source_name': 'mit...        Reconnaissance   \n",
       "1  [{'external_id': 'TA0042', 'source_name': 'mit...  Resource Development   \n",
       "2  [{'external_id': 'TA0040', 'source_name': 'mit...                Impact   \n",
       "3  [{'external_id': 'TA0005', 'url': 'https://att...       Defense Evasion   \n",
       "\n",
       "                                         description  \\\n",
       "0  The adversary is trying to gather information ...   \n",
       "1  The adversary is trying to establish resources...   \n",
       "2  The adversary is trying to manipulate, interru...   \n",
       "3  The adversary is trying to avoid being detecte...   \n",
       "\n",
       "                                                  id            type  \\\n",
       "0  x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd...  x-mitre-tactic   \n",
       "1  x-mitre-tactic--d679bca2-e57d-4935-8650-8031c8...  x-mitre-tactic   \n",
       "2  x-mitre-tactic--5569339b-94c2-49ee-afb3-222293...  x-mitre-tactic   \n",
       "3  x-mitre-tactic--78b23412-0651-46d7-a540-170a1c...  x-mitre-tactic   \n",
       "\n",
       "                   modified                   created     x_mitre_shortname  \\\n",
       "0  2020-10-18T02:04:50.842Z  2020-10-02T14:48:41.809Z        reconnaissance   \n",
       "1  2020-09-30T16:31:36.322Z  2020-09-30T16:11:59.650Z  resource-development   \n",
       "2  2019-07-25T18:42:23.222Z  2019-03-14T18:44:44.639Z                impact   \n",
       "3  2019-07-19T17:43:23.473Z  2018-10-17T00:14:20.652Z       defense-evasion   \n",
       "\n",
       "  x_mitre_deprecated  \n",
       "0                NaN  \n",
       "1                NaN  \n",
       "2                NaN  \n",
       "3                NaN  "
      ]
     },
     "execution_count": 34,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "df = pandas.json_normalize(all_attack['tactics'])\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Showing the schema of Tactics**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 35,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "['created_by_ref',\n",
       " 'object_marking_refs',\n",
       " 'external_references',\n",
       " 'name',\n",
       " 'description',\n",
       " 'id',\n",
       " 'type',\n",
       " 'modified',\n",
       " 'created',\n",
       " 'x_mitre_shortname',\n",
       " 'x_mitre_deprecated']"
      ]
     },
     "execution_count": 35,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "list(df)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Matrices from ATT&CK Results (Locally)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 36,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Matrices in ATT&CK\n",
      "5\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Matrices in ATT&CK\")\n",
    "print(len(all_attack['matrix']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 37,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>id</th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>name</th>\n",
       "      <th>description</th>\n",
       "      <th>external_references</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>type</th>\n",
       "      <th>tactic_refs</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_deprecated</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>x-mitre-matrix--eafc1b4c-5e56-4965-bd4e-66a6a8...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Enterprise ATT&amp;CK</td>\n",
       "      <td>Below are the tactics and technique representi...</td>\n",
       "      <td>[{'external_id': 'enterprise-attack', 'source_...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>x-mitre-matrix</td>\n",
       "      <td>[x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1ef...</td>\n",
       "      <td>2020-10-27T02:27:31.332Z</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>x-mitre-matrix--2e2c97c3-1908-4e2d-a711-a27d38...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>PRE-ATT&amp;CK</td>\n",
       "      <td>This object is deprecated as its content has b...</td>\n",
       "      <td>[{'external_id': 'pre-attack', 'source_name': ...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>x-mitre-matrix</td>\n",
       "      <td>[x-mitre-tactic--b2a086f2-d3db-408b-b4d4-e09a1...</td>\n",
       "      <td>2020-10-22T15:43:48.844Z</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>True</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff0...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Device Access</td>\n",
       "      <td>Below are the tactics and techniques represent...</td>\n",
       "      <td>[{'external_id': 'mobile-attack', 'url': 'http...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>x-mitre-matrix</td>\n",
       "      <td>[x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290...</td>\n",
       "      <td>2020-10-23T15:05:40.962Z</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Network-Based Effects</td>\n",
       "      <td>Below are the tactics and techniques represent...</td>\n",
       "      <td>[{'external_id': 'mobile-attack', 'url': 'http...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>x-mitre-matrix</td>\n",
       "      <td>[x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc4...</td>\n",
       "      <td>2020-07-02T14:18:17.535Z</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                                  id  \\\n",
       "0  x-mitre-matrix--eafc1b4c-5e56-4965-bd4e-66a6a8...   \n",
       "1  x-mitre-matrix--2e2c97c3-1908-4e2d-a711-a27d38...   \n",
       "2  x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff0...   \n",
       "3  x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd...   \n",
       "\n",
       "                                   created_by_ref                   name  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5      Enterprise ATT&CK   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5             PRE-ATT&CK   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5          Device Access   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5  Network-Based Effects   \n",
       "\n",
       "                                         description  \\\n",
       "0  Below are the tactics and technique representi...   \n",
       "1  This object is deprecated as its content has b...   \n",
       "2  Below are the tactics and techniques represent...   \n",
       "3  Below are the tactics and techniques represent...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'external_id': 'enterprise-attack', 'source_...   \n",
       "1  [{'external_id': 'pre-attack', 'source_name': ...   \n",
       "2  [{'external_id': 'mobile-attack', 'url': 'http...   \n",
       "3  [{'external_id': 'mobile-attack', 'url': 'http...   \n",
       "\n",
       "                                 object_marking_refs            type  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...  x-mitre-matrix   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...  x-mitre-matrix   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...  x-mitre-matrix   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...  x-mitre-matrix   \n",
       "\n",
       "                                         tactic_refs  \\\n",
       "0  [x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1ef...   \n",
       "1  [x-mitre-tactic--b2a086f2-d3db-408b-b4d4-e09a1...   \n",
       "2  [x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290...   \n",
       "3  [x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc4...   \n",
       "\n",
       "                   modified                   created x_mitre_deprecated  \n",
       "0  2020-10-27T02:27:31.332Z  2018-10-17T00:14:20.652Z                NaN  \n",
       "1  2020-10-22T15:43:48.844Z  2018-10-17T00:14:20.652Z               True  \n",
       "2  2020-10-23T15:05:40.962Z  2018-10-17T00:14:20.652Z                NaN  \n",
       "3  2020-07-02T14:18:17.535Z  2018-10-17T00:14:20.652Z                NaN  "
      ]
     },
     "execution_count": 37,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "df = pandas.json_normalize(all_attack['matrix'])\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Showing the schema of Tactics**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 38,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "['id',\n",
       " 'created_by_ref',\n",
       " 'name',\n",
       " 'description',\n",
       " 'external_references',\n",
       " 'object_marking_refs',\n",
       " 'type',\n",
       " 'tactic_refs',\n",
       " 'modified',\n",
       " 'created',\n",
       " 'x_mitre_deprecated']"
      ]
     },
     "execution_count": 38,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "list(df)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Enterprise ATT&CK ONLY from Results (Locally)\n",
    "* We can also grab the results from each get_* function that we run earlier, and start getting specific stix object types such as techniques, mitigations, groups, malware, tools and relationships on each specific matrix.\n",
    "* It is important to remember that the stix objec information is being retrieved from the results of the initial three **get_*** functions and not querying the TAXII Server every time we want to get information about a specific stix object type."
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Enterprise Techniques**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 39,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Techniques in Enterprise ATT&CK\n",
      "665\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Techniques in Enterprise ATT&CK\")\n",
    "print(len(all_enterprise['techniques']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 40,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>id</th>\n",
       "      <th>description</th>\n",
       "      <th>name</th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>external_references</th>\n",
       "      <th>type</th>\n",
       "      <th>kill_chain_phases</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>...</th>\n",
       "      <th>x_mitre_permissions_required</th>\n",
       "      <th>x_mitre_defense_bypassed</th>\n",
       "      <th>x_mitre_contributors</th>\n",
       "      <th>x_mitre_system_requirements</th>\n",
       "      <th>x_mitre_network_requirements</th>\n",
       "      <th>x_mitre_effective_permissions</th>\n",
       "      <th>x_mitre_remote_support</th>\n",
       "      <th>x_mitre_impact_type</th>\n",
       "      <th>revoked</th>\n",
       "      <th>x_mitre_deprecated</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>attack-pattern--818302b2-d640-477b-bf88-873120...</td>\n",
       "      <td>Adversaries may abuse scripting or built-in co...</td>\n",
       "      <td>Network Device CLI</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>[{'kill_chain_name': 'mitre-attack', 'phase_na...</td>\n",
       "      <td>2020-10-22T16:43:38.388Z</td>\n",
       "      <td>2020-10-20T00:09:33.072Z</td>\n",
       "      <td>...</td>\n",
       "      <td>[Administrator, User]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf...</td>\n",
       "      <td>Adversaries may access network configuration f...</td>\n",
       "      <td>Network Device Configuration Dump</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>[{'kill_chain_name': 'mitre-attack', 'phase_na...</td>\n",
       "      <td>2020-10-22T01:45:55.144Z</td>\n",
       "      <td>2020-10-20T00:08:21.745Z</td>\n",
       "      <td>...</td>\n",
       "      <td>[Administrator]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>attack-pattern--28abec6c-4443-4b03-8206-07f2e2...</td>\n",
       "      <td>Adversaries may abuse netbooting to load an un...</td>\n",
       "      <td>TFTP Boot</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>[{'kill_chain_name': 'mitre-attack', 'phase_na...</td>\n",
       "      <td>2020-10-22T16:35:53.806Z</td>\n",
       "      <td>2020-10-20T00:06:56.180Z</td>\n",
       "      <td>...</td>\n",
       "      <td>[Administrator]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>attack-pattern--a6557c75-798f-42e4-be70-ab4502...</td>\n",
       "      <td>Adversaries may abuse the ROM Monitor (ROMMON)...</td>\n",
       "      <td>ROMMONkit</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>[{'kill_chain_name': 'mitre-attack', 'phase_na...</td>\n",
       "      <td>2020-10-22T02:18:19.568Z</td>\n",
       "      <td>2020-10-20T00:05:48.790Z</td>\n",
       "      <td>...</td>\n",
       "      <td>[Administrator]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "<p>4 rows × 25 columns</p>\n",
       "</div>"
      ],
      "text/plain": [
       "                                                  id  \\\n",
       "0  attack-pattern--818302b2-d640-477b-bf88-873120...   \n",
       "1  attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf...   \n",
       "2  attack-pattern--28abec6c-4443-4b03-8206-07f2e2...   \n",
       "3  attack-pattern--a6557c75-798f-42e4-be70-ab4502...   \n",
       "\n",
       "                                         description  \\\n",
       "0  Adversaries may abuse scripting or built-in co...   \n",
       "1  Adversaries may access network configuration f...   \n",
       "2  Adversaries may abuse netbooting to load an un...   \n",
       "3  Adversaries may abuse the ROM Monitor (ROMMON)...   \n",
       "\n",
       "                                name  \\\n",
       "0                 Network Device CLI   \n",
       "1  Network Device Configuration Dump   \n",
       "2                          TFTP Boot   \n",
       "3                          ROMMONkit   \n",
       "\n",
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                 external_references            type  \\\n",
       "0  [{'source_name': 'mitre-attack', 'external_id'...  attack-pattern   \n",
       "1  [{'source_name': 'mitre-attack', 'external_id'...  attack-pattern   \n",
       "2  [{'source_name': 'mitre-attack', 'external_id'...  attack-pattern   \n",
       "3  [{'source_name': 'mitre-attack', 'external_id'...  attack-pattern   \n",
       "\n",
       "                                   kill_chain_phases  \\\n",
       "0  [{'kill_chain_name': 'mitre-attack', 'phase_na...   \n",
       "1  [{'kill_chain_name': 'mitre-attack', 'phase_na...   \n",
       "2  [{'kill_chain_name': 'mitre-attack', 'phase_na...   \n",
       "3  [{'kill_chain_name': 'mitre-attack', 'phase_na...   \n",
       "\n",
       "                   modified                   created  ...  \\\n",
       "0  2020-10-22T16:43:38.388Z  2020-10-20T00:09:33.072Z  ...   \n",
       "1  2020-10-22T01:45:55.144Z  2020-10-20T00:08:21.745Z  ...   \n",
       "2  2020-10-22T16:35:53.806Z  2020-10-20T00:06:56.180Z  ...   \n",
       "3  2020-10-22T02:18:19.568Z  2020-10-20T00:05:48.790Z  ...   \n",
       "\n",
       "  x_mitre_permissions_required x_mitre_defense_bypassed x_mitre_contributors  \\\n",
       "0        [Administrator, User]                      NaN                  NaN   \n",
       "1              [Administrator]                      NaN                  NaN   \n",
       "2              [Administrator]                      NaN                  NaN   \n",
       "3              [Administrator]                      NaN                  NaN   \n",
       "\n",
       "  x_mitre_system_requirements x_mitre_network_requirements  \\\n",
       "0                         NaN                          NaN   \n",
       "1                         NaN                          NaN   \n",
       "2                         NaN                          NaN   \n",
       "3                         NaN                          NaN   \n",
       "\n",
       "  x_mitre_effective_permissions x_mitre_remote_support x_mitre_impact_type  \\\n",
       "0                           NaN                    NaN                 NaN   \n",
       "1                           NaN                    NaN                 NaN   \n",
       "2                           NaN                    NaN                 NaN   \n",
       "3                           NaN                    NaN                 NaN   \n",
       "\n",
       "  revoked x_mitre_deprecated  \n",
       "0     NaN                NaN  \n",
       "1     NaN                NaN  \n",
       "2     NaN                NaN  \n",
       "3     NaN                NaN  \n",
       "\n",
       "[4 rows x 25 columns]"
      ]
     },
     "execution_count": 40,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "techniques = []\n",
    "for t in all_enterprise['techniques']:\n",
    "    techniques.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(techniques)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Enterprise Mitigations**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 41,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Mitigations in Enterprise ATT&CK\n",
      "267\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Mitigations in Enterprise ATT&CK\")\n",
    "print(len(all_enterprise['mitigations']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 42,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>external_references</th>\n",
       "      <th>description</th>\n",
       "      <th>name</th>\n",
       "      <th>id</th>\n",
       "      <th>type</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_deprecated</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>This category is used for any applicable mitig...</td>\n",
       "      <td>Pre-compromise</td>\n",
       "      <td>course-of-action--78bb71be-92b4-46de-acd6-5f99...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>2020-10-20T19:52:32.439Z</td>\n",
       "      <td>2020-10-19T14:57:58.771Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>This category is to associate techniques that ...</td>\n",
       "      <td>Do Not Mitigate</td>\n",
       "      <td>course-of-action--787fb64d-c87b-4ee5-a341-0ef1...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>2019-07-23T14:44:24.727Z</td>\n",
       "      <td>2019-07-19T14:58:42.715Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>Implement configuration changes to software (o...</td>\n",
       "      <td>Software Configuration</td>\n",
       "      <td>course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>2020-03-31T13:11:09.471Z</td>\n",
       "      <td>2019-07-19T14:40:23.529Z</td>\n",
       "      <td>1.1</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>Take and store data backups from end user syst...</td>\n",
       "      <td>Data Backup</td>\n",
       "      <td>course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>2020-03-31T13:11:28.201Z</td>\n",
       "      <td>2019-07-19T14:33:33.543Z</td>\n",
       "      <td>1.1</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>4</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>Configure Windows User Account Control to miti...</td>\n",
       "      <td>User Account Control</td>\n",
       "      <td>course-of-action--2c2ad92a-d710-41ab-a996-1db1...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>2020-03-31T13:49:49.636Z</td>\n",
       "      <td>2019-06-11T17:14:35.170Z</td>\n",
       "      <td>1.1</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "4  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "4  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'source_name': 'mitre-attack', 'external_id'...   \n",
       "1  [{'source_name': 'mitre-attack', 'external_id'...   \n",
       "2  [{'source_name': 'mitre-attack', 'external_id'...   \n",
       "3  [{'source_name': 'mitre-attack', 'external_id'...   \n",
       "4  [{'source_name': 'mitre-attack', 'external_id'...   \n",
       "\n",
       "                                         description                    name  \\\n",
       "0  This category is used for any applicable mitig...          Pre-compromise   \n",
       "1  This category is to associate techniques that ...         Do Not Mitigate   \n",
       "2  Implement configuration changes to software (o...  Software Configuration   \n",
       "3  Take and store data backups from end user syst...             Data Backup   \n",
       "4  Configure Windows User Account Control to miti...    User Account Control   \n",
       "\n",
       "                                                  id              type  \\\n",
       "0  course-of-action--78bb71be-92b4-46de-acd6-5f99...  course-of-action   \n",
       "1  course-of-action--787fb64d-c87b-4ee5-a341-0ef1...  course-of-action   \n",
       "2  course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8...  course-of-action   \n",
       "3  course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73...  course-of-action   \n",
       "4  course-of-action--2c2ad92a-d710-41ab-a996-1db1...  course-of-action   \n",
       "\n",
       "                   modified                   created x_mitre_version  \\\n",
       "0  2020-10-20T19:52:32.439Z  2020-10-19T14:57:58.771Z             1.0   \n",
       "1  2019-07-23T14:44:24.727Z  2019-07-19T14:58:42.715Z             1.0   \n",
       "2  2020-03-31T13:11:09.471Z  2019-07-19T14:40:23.529Z             1.1   \n",
       "3  2020-03-31T13:11:28.201Z  2019-07-19T14:33:33.543Z             1.1   \n",
       "4  2020-03-31T13:49:49.636Z  2019-06-11T17:14:35.170Z             1.1   \n",
       "\n",
       "  x_mitre_deprecated x_mitre_old_attack_id  \n",
       "0                NaN                   NaN  \n",
       "1                NaN                   NaN  \n",
       "2                NaN                   NaN  \n",
       "3                NaN                   NaN  \n",
       "4                NaN                   NaN  "
      ]
     },
     "execution_count": 42,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "mitigations = []\n",
    "for t in all_enterprise['mitigations']:\n",
    "    mitigations.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(mitigations)\n",
    "df[0:5]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Enterprise Groups**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 43,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Groups in Enterprise ATT&CK\n",
      "110\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Groups in Enterprise ATT&CK\")\n",
    "print(len(all_enterprise['groups']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 44,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>external_references</th>\n",
       "      <th>name</th>\n",
       "      <th>description</th>\n",
       "      <th>type</th>\n",
       "      <th>id</th>\n",
       "      <th>aliases</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_contributors</th>\n",
       "      <th>revoked</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'G0115', 'source_name': 'mitr...</td>\n",
       "      <td>GOLD SOUTHFIELD</td>\n",
       "      <td>[GOLD SOUTHFIELD](https://attack.mitre.org/gro...</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a...</td>\n",
       "      <td>[GOLD SOUTHFIELD]</td>\n",
       "      <td>2020-10-06T15:32:20.089Z</td>\n",
       "      <td>2020-09-22T19:41:27.845Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'G0114', 'source_name': 'mitr...</td>\n",
       "      <td>Chimera</td>\n",
       "      <td>[Chimera](https://attack.mitre.org/groups/G011...</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>intrusion-set--8c1f0187-0826-4320-bddc-5f326cf...</td>\n",
       "      <td>[Chimera]</td>\n",
       "      <td>2020-10-05T20:59:57.694Z</td>\n",
       "      <td>2020-08-24T17:01:55.842Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'G0112', 'source_name': 'mitr...</td>\n",
       "      <td>Windshift</td>\n",
       "      <td>[Windshift](https://attack.mitre.org/groups/G0...</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a...</td>\n",
       "      <td>[Windshift, Bahamut]</td>\n",
       "      <td>2020-06-26T13:46:14.122Z</td>\n",
       "      <td>2020-06-25T17:16:39.168Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'G0108', 'source_name': 'mitr...</td>\n",
       "      <td>Blue Mockingbird</td>\n",
       "      <td>[Blue Mockingbird](https://attack.mitre.org/gr...</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>intrusion-set--73a80fab-2aa3-48e0-a4d0-3a48282...</td>\n",
       "      <td>[Blue Mockingbird]</td>\n",
       "      <td>2020-06-25T13:59:09.596Z</td>\n",
       "      <td>2020-05-26T20:09:39.139Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Tony Lambert, Red Canary]</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                 external_references              name  \\\n",
       "0  [{'external_id': 'G0115', 'source_name': 'mitr...   GOLD SOUTHFIELD   \n",
       "1  [{'external_id': 'G0114', 'source_name': 'mitr...           Chimera   \n",
       "2  [{'external_id': 'G0112', 'source_name': 'mitr...         Windshift   \n",
       "3  [{'external_id': 'G0108', 'source_name': 'mitr...  Blue Mockingbird   \n",
       "\n",
       "                                         description           type  \\\n",
       "0  [GOLD SOUTHFIELD](https://attack.mitre.org/gro...  intrusion-set   \n",
       "1  [Chimera](https://attack.mitre.org/groups/G011...  intrusion-set   \n",
       "2  [Windshift](https://attack.mitre.org/groups/G0...  intrusion-set   \n",
       "3  [Blue Mockingbird](https://attack.mitre.org/gr...  intrusion-set   \n",
       "\n",
       "                                                  id               aliases  \\\n",
       "0  intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a...     [GOLD SOUTHFIELD]   \n",
       "1  intrusion-set--8c1f0187-0826-4320-bddc-5f326cf...             [Chimera]   \n",
       "2  intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a...  [Windshift, Bahamut]   \n",
       "3  intrusion-set--73a80fab-2aa3-48e0-a4d0-3a48282...    [Blue Mockingbird]   \n",
       "\n",
       "                   modified                   created x_mitre_version  \\\n",
       "0  2020-10-06T15:32:20.089Z  2020-09-22T19:41:27.845Z             1.0   \n",
       "1  2020-10-05T20:59:57.694Z  2020-08-24T17:01:55.842Z             1.0   \n",
       "2  2020-06-26T13:46:14.122Z  2020-06-25T17:16:39.168Z             1.0   \n",
       "3  2020-06-25T13:59:09.596Z  2020-05-26T20:09:39.139Z             1.0   \n",
       "\n",
       "         x_mitre_contributors revoked  \n",
       "0                         NaN     NaN  \n",
       "1                         NaN     NaN  \n",
       "2                         NaN     NaN  \n",
       "3  [Tony Lambert, Red Canary]     NaN  "
      ]
     },
     "execution_count": 44,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "groups = []\n",
    "for t in all_enterprise['groups']:\n",
    "    groups.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(groups)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Enterprise Malware**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 45,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Malware objects in Enterprise ATT&CK\n",
      "376\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Malware objects in Enterprise ATT&CK\")\n",
    "print(len(all_enterprise['malware']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 46,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>external_references</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>name</th>\n",
       "      <th>id</th>\n",
       "      <th>type</th>\n",
       "      <th>labels</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_aliases</th>\n",
       "      <th>x_mitre_platforms</th>\n",
       "      <th>x_mitre_contributors</th>\n",
       "      <th>revoked</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>[{'external_id': 'S0519', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[SYNful Knock](https://attack.mitre.org/softwa...</td>\n",
       "      <td>SYNful Knock</td>\n",
       "      <td>malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053</td>\n",
       "      <td>malware</td>\n",
       "      <td>[malware]</td>\n",
       "      <td>2020-10-22T17:35:04.950Z</td>\n",
       "      <td>2020-10-19T16:38:11.279Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[SYNful Knock]</td>\n",
       "      <td>[Network]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>[{'external_id': 'S0516', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[SoreFang](https://attack.mitre.org/software/S...</td>\n",
       "      <td>SoreFang</td>\n",
       "      <td>malware--e33e4603-afab-402d-b2a1-248d435b5fe0</td>\n",
       "      <td>malware</td>\n",
       "      <td>[malware]</td>\n",
       "      <td>2020-10-06T16:10:42.422Z</td>\n",
       "      <td>2020-09-29T19:33:35.122Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[SoreFang]</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>[{'external_id': 'S0515', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[WellMail](https://attack.mitre.org/software/S...</td>\n",
       "      <td>WellMail</td>\n",
       "      <td>malware--959f3b19-2dc8-48d5-8942-c66813a5101a</td>\n",
       "      <td>malware</td>\n",
       "      <td>[malware]</td>\n",
       "      <td>2020-10-09T15:38:41.755Z</td>\n",
       "      <td>2020-09-29T17:48:27.517Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[WellMail]</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>[Josh Campbell, Cyborg Security, @cyb0rgsecur1ty]</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>[{'external_id': 'S0514', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[WellMess](https://attack.mitre.org/software/S...</td>\n",
       "      <td>WellMess</td>\n",
       "      <td>malware--3a4197ae-ec63-4162-907b-9a073d1157e4</td>\n",
       "      <td>malware</td>\n",
       "      <td>[malware]</td>\n",
       "      <td>2020-10-09T19:41:25.983Z</td>\n",
       "      <td>2020-09-24T19:39:44.392Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[WellMess]</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>[Daniyal Naeem, @Mrdaniyalnaeem]</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                 external_references  \\\n",
       "0  [{'external_id': 'S0519', 'source_name': 'mitr...   \n",
       "1  [{'external_id': 'S0516', 'source_name': 'mitr...   \n",
       "2  [{'external_id': 'S0515', 'source_name': 'mitr...   \n",
       "3  [{'external_id': 'S0514', 'source_name': 'mitr...   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description          name  \\\n",
       "0  [SYNful Knock](https://attack.mitre.org/softwa...  SYNful Knock   \n",
       "1  [SoreFang](https://attack.mitre.org/software/S...      SoreFang   \n",
       "2  [WellMail](https://attack.mitre.org/software/S...      WellMail   \n",
       "3  [WellMess](https://attack.mitre.org/software/S...      WellMess   \n",
       "\n",
       "                                              id     type     labels  \\\n",
       "0  malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053  malware  [malware]   \n",
       "1  malware--e33e4603-afab-402d-b2a1-248d435b5fe0  malware  [malware]   \n",
       "2  malware--959f3b19-2dc8-48d5-8942-c66813a5101a  malware  [malware]   \n",
       "3  malware--3a4197ae-ec63-4162-907b-9a073d1157e4  malware  [malware]   \n",
       "\n",
       "                   modified                   created x_mitre_version  \\\n",
       "0  2020-10-22T17:35:04.950Z  2020-10-19T16:38:11.279Z             1.0   \n",
       "1  2020-10-06T16:10:42.422Z  2020-09-29T19:33:35.122Z             1.0   \n",
       "2  2020-10-09T15:38:41.755Z  2020-09-29T17:48:27.517Z             1.0   \n",
       "3  2020-10-09T19:41:25.983Z  2020-09-24T19:39:44.392Z             1.0   \n",
       "\n",
       "  x_mitre_aliases x_mitre_platforms  \\\n",
       "0  [SYNful Knock]         [Network]   \n",
       "1      [SoreFang]         [Windows]   \n",
       "2      [WellMail]         [Windows]   \n",
       "3      [WellMess]         [Windows]   \n",
       "\n",
       "                                x_mitre_contributors revoked  \n",
       "0                                                NaN     NaN  \n",
       "1                                                NaN     NaN  \n",
       "2  [Josh Campbell, Cyborg Security, @cyb0rgsecur1ty]     NaN  \n",
       "3                   [Daniyal Naeem, @Mrdaniyalnaeem]     NaN  "
      ]
     },
     "execution_count": 46,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "malware = []\n",
    "for t in all_enterprise['malware']:\n",
    "    malware.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(malware)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Enterprise Tools**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 47,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Tools in Enterprise ATT&CK\n",
      "62\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Tools in Enterprise ATT&CK\")\n",
    "print(len(all_enterprise['tools']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 48,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>id</th>\n",
       "      <th>name</th>\n",
       "      <th>description</th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>external_references</th>\n",
       "      <th>type</th>\n",
       "      <th>labels</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_aliases</th>\n",
       "      <th>x_mitre_platforms</th>\n",
       "      <th>x_mitre_contributors</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>tool--975737f1-b10d-476f-8bda-3ec26ea57172</td>\n",
       "      <td>MCMD</td>\n",
       "      <td>[MCMD](https://attack.mitre.org/software/S0500...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'S0500', 'source_name': 'mitr...</td>\n",
       "      <td>tool</td>\n",
       "      <td>[tool]</td>\n",
       "      <td>2020-08-20T14:52:23.369Z</td>\n",
       "      <td>2020-08-13T17:15:25.702Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[MCMD]</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>tool--c4810609-7da6-48ec-8057-1b70a7814db0</td>\n",
       "      <td>CrackMapExec</td>\n",
       "      <td>[CrackMapExec](https://attack.mitre.org/softwa...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'S0488', 'source_name': 'mitr...</td>\n",
       "      <td>tool</td>\n",
       "      <td>[tool]</td>\n",
       "      <td>2020-07-29T20:19:40.544Z</td>\n",
       "      <td>2020-07-17T14:23:05.958Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[CrackMapExec]</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4</td>\n",
       "      <td>CARROTBALL</td>\n",
       "      <td>[CARROTBALL](https://attack.mitre.org/software...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'S0465', 'source_name': 'mitr...</td>\n",
       "      <td>tool</td>\n",
       "      <td>[tool]</td>\n",
       "      <td>2020-06-10T14:44:23.055Z</td>\n",
       "      <td>2020-06-02T19:10:29.513Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[CARROTBALL]</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>tool--115f88dd-0618-4389-83cb-98d33ae81848</td>\n",
       "      <td>ShimRatReporter</td>\n",
       "      <td>[ShimRatReporter](https://attack.mitre.org/sof...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'S0445', 'source_name': 'mitr...</td>\n",
       "      <td>tool</td>\n",
       "      <td>[tool]</td>\n",
       "      <td>2020-05-27T22:39:28.701Z</td>\n",
       "      <td>2020-05-12T21:29:48.294Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[ShimRatReporter]</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                           id             name  \\\n",
       "0  tool--975737f1-b10d-476f-8bda-3ec26ea57172             MCMD   \n",
       "1  tool--c4810609-7da6-48ec-8057-1b70a7814db0     CrackMapExec   \n",
       "2  tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4       CARROTBALL   \n",
       "3  tool--115f88dd-0618-4389-83cb-98d33ae81848  ShimRatReporter   \n",
       "\n",
       "                                         description  \\\n",
       "0  [MCMD](https://attack.mitre.org/software/S0500...   \n",
       "1  [CrackMapExec](https://attack.mitre.org/softwa...   \n",
       "2  [CARROTBALL](https://attack.mitre.org/software...   \n",
       "3  [ShimRatReporter](https://attack.mitre.org/sof...   \n",
       "\n",
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                 external_references  type  labels  \\\n",
       "0  [{'external_id': 'S0500', 'source_name': 'mitr...  tool  [tool]   \n",
       "1  [{'external_id': 'S0488', 'source_name': 'mitr...  tool  [tool]   \n",
       "2  [{'external_id': 'S0465', 'source_name': 'mitr...  tool  [tool]   \n",
       "3  [{'external_id': 'S0445', 'source_name': 'mitr...  tool  [tool]   \n",
       "\n",
       "                   modified                   created x_mitre_version  \\\n",
       "0  2020-08-20T14:52:23.369Z  2020-08-13T17:15:25.702Z             1.0   \n",
       "1  2020-07-29T20:19:40.544Z  2020-07-17T14:23:05.958Z             1.0   \n",
       "2  2020-06-10T14:44:23.055Z  2020-06-02T19:10:29.513Z             1.0   \n",
       "3  2020-05-27T22:39:28.701Z  2020-05-12T21:29:48.294Z             1.0   \n",
       "\n",
       "     x_mitre_aliases x_mitre_platforms x_mitre_contributors  \n",
       "0             [MCMD]         [Windows]                  NaN  \n",
       "1     [CrackMapExec]         [Windows]                  NaN  \n",
       "2       [CARROTBALL]         [Windows]                  NaN  \n",
       "3  [ShimRatReporter]         [Windows]                  NaN  "
      ]
     },
     "execution_count": 48,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "tools = []\n",
    "for t in all_enterprise['tools']:\n",
    "    tools.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(tools)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Enterprise Relationships**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 49,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Relationships in Enterprise ATT&CK\n",
      "9263\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Relationships in Enterprise ATT&CK\")\n",
    "print(len(all_enterprise['relationships']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 50,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>external_references</th>\n",
       "      <th>id</th>\n",
       "      <th>type</th>\n",
       "      <th>created</th>\n",
       "      <th>description</th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>modified</th>\n",
       "      <th>source_ref</th>\n",
       "      <th>relationship_type</th>\n",
       "      <th>target_ref</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...</td>\n",
       "      <td>relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2020-11-10T18:04:03.668Z</td>\n",
       "      <td>(Citation: FireEye KEGTAP SINGLEMALT October 2...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>2020-11-10T18:04:03.668Z</td>\n",
       "      <td>intrusion-set--dd2d9ca6-505b-4860-a604-233685b...</td>\n",
       "      <td>uses</td>\n",
       "      <td>malware--a7881f21-e978-4fe4-af56-92c9416a2616</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...</td>\n",
       "      <td>relationship--c118e50b-4559-4bff-bde5-78aa426f...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2020-11-10T18:04:03.666Z</td>\n",
       "      <td>(Citation: FireEye KEGTAP SINGLEMALT October 2...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>2020-11-10T18:04:03.666Z</td>\n",
       "      <td>intrusion-set--dd2d9ca6-505b-4860-a604-233685b...</td>\n",
       "      <td>uses</td>\n",
       "      <td>tool--afc079f3-c0ea-4096-b75d-3f05338b7f60</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'DFIR Ryuk's Return October 2...</td>\n",
       "      <td>relationship--43b9a1b5-6f95-4c6c-8e1f-59f9049e...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2020-11-10T18:04:03.589Z</td>\n",
       "      <td>(Citation: DFIR Ryuk's Return October 2020)(Ci...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>2020-11-10T18:04:03.589Z</td>\n",
       "      <td>intrusion-set--dd2d9ca6-505b-4860-a604-233685b...</td>\n",
       "      <td>uses</td>\n",
       "      <td>tool--b77b563c-34bb-4fb8-86a3-3694338f7b47</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...</td>\n",
       "      <td>relationship--585842e6-fe9a-4508-8e67-c232f8aa...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2020-11-10T18:04:03.571Z</td>\n",
       "      <td>(Citation: FireEye KEGTAP SINGLEMALT October 2...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>2020-11-10T18:04:03.571Z</td>\n",
       "      <td>intrusion-set--dd2d9ca6-505b-4860-a604-233685b...</td>\n",
       "      <td>uses</td>\n",
       "      <td>tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...   \n",
       "1  [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...   \n",
       "2  [{'source_name': 'DFIR Ryuk's Return October 2...   \n",
       "3  [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...   \n",
       "\n",
       "                                                  id          type  \\\n",
       "0  relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd...  relationship   \n",
       "1  relationship--c118e50b-4559-4bff-bde5-78aa426f...  relationship   \n",
       "2  relationship--43b9a1b5-6f95-4c6c-8e1f-59f9049e...  relationship   \n",
       "3  relationship--585842e6-fe9a-4508-8e67-c232f8aa...  relationship   \n",
       "\n",
       "                    created  \\\n",
       "0  2020-11-10T18:04:03.668Z   \n",
       "1  2020-11-10T18:04:03.666Z   \n",
       "2  2020-11-10T18:04:03.589Z   \n",
       "3  2020-11-10T18:04:03.571Z   \n",
       "\n",
       "                                         description  \\\n",
       "0  (Citation: FireEye KEGTAP SINGLEMALT October 2...   \n",
       "1  (Citation: FireEye KEGTAP SINGLEMALT October 2...   \n",
       "2  (Citation: DFIR Ryuk's Return October 2020)(Ci...   \n",
       "3  (Citation: FireEye KEGTAP SINGLEMALT October 2...   \n",
       "\n",
       "                                   created_by_ref                  modified  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5  2020-11-10T18:04:03.668Z   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5  2020-11-10T18:04:03.666Z   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5  2020-11-10T18:04:03.589Z   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5  2020-11-10T18:04:03.571Z   \n",
       "\n",
       "                                          source_ref relationship_type  \\\n",
       "0  intrusion-set--dd2d9ca6-505b-4860-a604-233685b...              uses   \n",
       "1  intrusion-set--dd2d9ca6-505b-4860-a604-233685b...              uses   \n",
       "2  intrusion-set--dd2d9ca6-505b-4860-a604-233685b...              uses   \n",
       "3  intrusion-set--dd2d9ca6-505b-4860-a604-233685b...              uses   \n",
       "\n",
       "                                      target_ref  \n",
       "0  malware--a7881f21-e978-4fe4-af56-92c9416a2616  \n",
       "1     tool--afc079f3-c0ea-4096-b75d-3f05338b7f60  \n",
       "2     tool--b77b563c-34bb-4fb8-86a3-3694338f7b47  \n",
       "3     tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf  "
      ]
     },
     "execution_count": 50,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "relations = []\n",
    "for t in all_enterprise['relationships']:\n",
    "    relations.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(relations)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Mobile ATT&CK ONLY from Results (Locally)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Mobile Techniques**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 51,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Techniques in Mobile ATT&CK\n",
      "104\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Techniques in Mobile ATT&CK\")\n",
    "print(len(all_mobile['techniques']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 52,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>external_references</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>name</th>\n",
       "      <th>description</th>\n",
       "      <th>id</th>\n",
       "      <th>type</th>\n",
       "      <th>kill_chain_phases</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_is_subtechnique</th>\n",
       "      <th>x_mitre_tactic_type</th>\n",
       "      <th>x_mitre_detection</th>\n",
       "      <th>x_mitre_platforms</th>\n",
       "      <th>x_mitre_contributors</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "      <th>revoked</th>\n",
       "      <th>x_mitre_deprecated</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>[{'source_name': 'mitre-mobile-attack', 'exter...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>SMS Control</td>\n",
       "      <td>Adversaries may delete, alter, or send SMS mes...</td>\n",
       "      <td>attack-pattern--b327a9c0-e709-495c-aa6e-00b042...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>[{'kill_chain_name': 'mitre-mobile-attack', 'p...</td>\n",
       "      <td>2020-10-22T17:04:15.578Z</td>\n",
       "      <td>2020-09-11T15:14:33.730Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>False</td>\n",
       "      <td>[Post-Adversary Device Access]</td>\n",
       "      <td>Users can view the default SMS handler in syst...</td>\n",
       "      <td>[Android]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>[{'source_name': 'mitre-mobile-attack', 'exter...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Geofencing</td>\n",
       "      <td>Adversaries may use a device’s geographical lo...</td>\n",
       "      <td>attack-pattern--8197f026-64da-4700-93b9-b55ba5...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>[{'kill_chain_name': 'mitre-mobile-attack', 'p...</td>\n",
       "      <td>2020-10-01T12:43:41.494Z</td>\n",
       "      <td>2020-09-11T15:04:14.532Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>False</td>\n",
       "      <td>[Post-Adversary Device Access]</td>\n",
       "      <td>Users can review which applications have locat...</td>\n",
       "      <td>[Android, iOS]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>[{'source_name': 'mitre-mobile-attack', 'exter...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Keychain</td>\n",
       "      <td>Adversaries may collect the keychain storage d...</td>\n",
       "      <td>attack-pattern--27f483c6-6666-44fa-8532-ffd5fc...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>[{'kill_chain_name': 'mitre-mobile-attack', 'p...</td>\n",
       "      <td>2020-06-24T19:02:46.237Z</td>\n",
       "      <td>2020-06-24T17:33:49.778Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>False</td>\n",
       "      <td>[Post-Adversary Device Access]</td>\n",
       "      <td>Mobile security products can potentially detec...</td>\n",
       "      <td>[iOS]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>[{'source_name': 'mitre-mobile-attack', 'exter...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Compromise Application Executable</td>\n",
       "      <td>Adversaries may modify applications installed ...</td>\n",
       "      <td>attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e5631...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>[{'kill_chain_name': 'mitre-mobile-attack', 'p...</td>\n",
       "      <td>2020-05-27T13:23:34.159Z</td>\n",
       "      <td>2020-05-07T15:24:49.068Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>False</td>\n",
       "      <td>[Post-Adversary Device Access]</td>\n",
       "      <td>This behavior is seamless to the user and is t...</td>\n",
       "      <td>[Android]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                 external_references  \\\n",
       "0  [{'source_name': 'mitre-mobile-attack', 'exter...   \n",
       "1  [{'source_name': 'mitre-mobile-attack', 'exter...   \n",
       "2  [{'source_name': 'mitre-mobile-attack', 'exter...   \n",
       "3  [{'source_name': 'mitre-mobile-attack', 'exter...   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                name  \\\n",
       "0                        SMS Control   \n",
       "1                         Geofencing   \n",
       "2                           Keychain   \n",
       "3  Compromise Application Executable   \n",
       "\n",
       "                                         description  \\\n",
       "0  Adversaries may delete, alter, or send SMS mes...   \n",
       "1  Adversaries may use a device’s geographical lo...   \n",
       "2  Adversaries may collect the keychain storage d...   \n",
       "3  Adversaries may modify applications installed ...   \n",
       "\n",
       "                                                  id            type  \\\n",
       "0  attack-pattern--b327a9c0-e709-495c-aa6e-00b042...  attack-pattern   \n",
       "1  attack-pattern--8197f026-64da-4700-93b9-b55ba5...  attack-pattern   \n",
       "2  attack-pattern--27f483c6-6666-44fa-8532-ffd5fc...  attack-pattern   \n",
       "3  attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e5631...  attack-pattern   \n",
       "\n",
       "                                   kill_chain_phases  \\\n",
       "0  [{'kill_chain_name': 'mitre-mobile-attack', 'p...   \n",
       "1  [{'kill_chain_name': 'mitre-mobile-attack', 'p...   \n",
       "2  [{'kill_chain_name': 'mitre-mobile-attack', 'p...   \n",
       "3  [{'kill_chain_name': 'mitre-mobile-attack', 'p...   \n",
       "\n",
       "                   modified                   created x_mitre_version  \\\n",
       "0  2020-10-22T17:04:15.578Z  2020-09-11T15:14:33.730Z             1.0   \n",
       "1  2020-10-01T12:43:41.494Z  2020-09-11T15:04:14.532Z             1.0   \n",
       "2  2020-06-24T19:02:46.237Z  2020-06-24T17:33:49.778Z             1.0   \n",
       "3  2020-05-27T13:23:34.159Z  2020-05-07T15:24:49.068Z             1.0   \n",
       "\n",
       "  x_mitre_is_subtechnique             x_mitre_tactic_type  \\\n",
       "0                   False  [Post-Adversary Device Access]   \n",
       "1                   False  [Post-Adversary Device Access]   \n",
       "2                   False  [Post-Adversary Device Access]   \n",
       "3                   False  [Post-Adversary Device Access]   \n",
       "\n",
       "                                   x_mitre_detection x_mitre_platforms  \\\n",
       "0  Users can view the default SMS handler in syst...         [Android]   \n",
       "1  Users can review which applications have locat...    [Android, iOS]   \n",
       "2  Mobile security products can potentially detec...             [iOS]   \n",
       "3  This behavior is seamless to the user and is t...         [Android]   \n",
       "\n",
       "  x_mitre_contributors x_mitre_old_attack_id revoked x_mitre_deprecated  \n",
       "0                  NaN                   NaN     NaN                NaN  \n",
       "1                  NaN                   NaN     NaN                NaN  \n",
       "2                  NaN                   NaN     NaN                NaN  \n",
       "3                  NaN                   NaN     NaN                NaN  "
      ]
     },
     "execution_count": 52,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "techniques = []\n",
    "for t in all_mobile['techniques']:\n",
    "    techniques.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(techniques)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Mobile Mitigations**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 53,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Mitigations in Mobile ATT&CK\n",
      "13\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Mitigations in Mobile ATT&CK\")\n",
    "print(len(all_mobile['mitigations']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 54,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>external_references</th>\n",
       "      <th>name</th>\n",
       "      <th>description</th>\n",
       "      <th>id</th>\n",
       "      <th>type</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>User Guidance</td>\n",
       "      <td>Describes any guidance or training given to us...</td>\n",
       "      <td>course-of-action--653492e3-27be-4a0e-b08c-938d...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>2019-10-18T15:51:48.318Z</td>\n",
       "      <td>2019-10-18T12:53:03.508Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>Security Updates</td>\n",
       "      <td>Install security updates in response to discov...</td>\n",
       "      <td>course-of-action--bcecd036-f40e-4916-9f8e-fd0c...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>2019-10-18T14:56:15.631Z</td>\n",
       "      <td>2019-10-18T12:51:36.488Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>Attestation</td>\n",
       "      <td>Enable remote attestation capabilities when av...</td>\n",
       "      <td>course-of-action--ff4821f6-5afb-481b-8c0f-26c2...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>2019-10-18T14:52:53.019Z</td>\n",
       "      <td>2019-10-18T12:50:35.335Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>Application Vetting</td>\n",
       "      <td>Enterprises can vet applications for exploitab...</td>\n",
       "      <td>course-of-action--1553b156-6767-47f7-9eb4-2a69...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>2019-10-18T15:53:07.393Z</td>\n",
       "      <td>2019-10-18T12:49:58.924Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                 external_references                 name  \\\n",
       "0  [{'source_name': 'mitre-attack', 'external_id'...        User Guidance   \n",
       "1  [{'source_name': 'mitre-attack', 'external_id'...     Security Updates   \n",
       "2  [{'source_name': 'mitre-attack', 'external_id'...          Attestation   \n",
       "3  [{'source_name': 'mitre-attack', 'external_id'...  Application Vetting   \n",
       "\n",
       "                                         description  \\\n",
       "0  Describes any guidance or training given to us...   \n",
       "1  Install security updates in response to discov...   \n",
       "2  Enable remote attestation capabilities when av...   \n",
       "3  Enterprises can vet applications for exploitab...   \n",
       "\n",
       "                                                  id              type  \\\n",
       "0  course-of-action--653492e3-27be-4a0e-b08c-938d...  course-of-action   \n",
       "1  course-of-action--bcecd036-f40e-4916-9f8e-fd0c...  course-of-action   \n",
       "2  course-of-action--ff4821f6-5afb-481b-8c0f-26c2...  course-of-action   \n",
       "3  course-of-action--1553b156-6767-47f7-9eb4-2a69...  course-of-action   \n",
       "\n",
       "                   modified                   created x_mitre_version  \\\n",
       "0  2019-10-18T15:51:48.318Z  2019-10-18T12:53:03.508Z             1.0   \n",
       "1  2019-10-18T14:56:15.631Z  2019-10-18T12:51:36.488Z             1.0   \n",
       "2  2019-10-18T14:52:53.019Z  2019-10-18T12:50:35.335Z             1.0   \n",
       "3  2019-10-18T15:53:07.393Z  2019-10-18T12:49:58.924Z             1.0   \n",
       "\n",
       "  x_mitre_old_attack_id  \n",
       "0                   NaN  \n",
       "1                   NaN  \n",
       "2                   NaN  \n",
       "3                   NaN  "
      ]
     },
     "execution_count": 54,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "mitigations = []\n",
    "for t in all_mobile['mitigations']:\n",
    "    mitigations.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(mitigations)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Mobile Groups**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 55,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Groups in Mobile ATT&CK\n",
      "3\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Groups in Mobile ATT&CK\")\n",
    "print(len(all_mobile['groups']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 56,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>external_references</th>\n",
       "      <th>description</th>\n",
       "      <th>name</th>\n",
       "      <th>type</th>\n",
       "      <th>id</th>\n",
       "      <th>aliases</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_contributors</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'G0097', 'source_name': 'mitr...</td>\n",
       "      <td>[Bouncing Golf](https://attack.mitre.org/group...</td>\n",
       "      <td>Bouncing Golf</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a...</td>\n",
       "      <td>[Bouncing Golf]</td>\n",
       "      <td>2020-03-26T20:58:44.722Z</td>\n",
       "      <td>2020-01-27T16:55:39.688Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'url': 'https...</td>\n",
       "      <td>[Dark Caracal](https://attack.mitre.org/groups...</td>\n",
       "      <td>Dark Caracal</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74...</td>\n",
       "      <td>[Dark Caracal]</td>\n",
       "      <td>2020-06-03T20:22:40.401Z</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>1.2</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'G0007', 'url': 'https://atta...</td>\n",
       "      <td>[APT28](https://attack.mitre.org/groups/G0007)...</td>\n",
       "      <td>APT28</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e8...</td>\n",
       "      <td>[APT28, SNAKEMACKEREL, Swallowtail, Group 74, ...</td>\n",
       "      <td>2020-10-06T23:32:21.793Z</td>\n",
       "      <td>2017-05-31T21:31:48.664Z</td>\n",
       "      <td>3.0</td>\n",
       "      <td>[Sébastien Ruel, CGI, Drew Church, Splunk, Emi...</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'external_id': 'G0097', 'source_name': 'mitr...   \n",
       "1  [{'source_name': 'mitre-attack', 'url': 'https...   \n",
       "2  [{'external_id': 'G0007', 'url': 'https://atta...   \n",
       "\n",
       "                                         description           name  \\\n",
       "0  [Bouncing Golf](https://attack.mitre.org/group...  Bouncing Golf   \n",
       "1  [Dark Caracal](https://attack.mitre.org/groups...   Dark Caracal   \n",
       "2  [APT28](https://attack.mitre.org/groups/G0007)...          APT28   \n",
       "\n",
       "            type                                                 id  \\\n",
       "0  intrusion-set  intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a...   \n",
       "1  intrusion-set  intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74...   \n",
       "2  intrusion-set  intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e8...   \n",
       "\n",
       "                                             aliases  \\\n",
       "0                                    [Bouncing Golf]   \n",
       "1                                     [Dark Caracal]   \n",
       "2  [APT28, SNAKEMACKEREL, Swallowtail, Group 74, ...   \n",
       "\n",
       "                   modified                   created x_mitre_version  \\\n",
       "0  2020-03-26T20:58:44.722Z  2020-01-27T16:55:39.688Z             1.0   \n",
       "1  2020-06-03T20:22:40.401Z  2018-10-17T00:14:20.652Z             1.2   \n",
       "2  2020-10-06T23:32:21.793Z  2017-05-31T21:31:48.664Z             3.0   \n",
       "\n",
       "                                x_mitre_contributors  \n",
       "0                                                NaN  \n",
       "1                                                NaN  \n",
       "2  [Sébastien Ruel, CGI, Drew Church, Splunk, Emi...  "
      ]
     },
     "execution_count": 56,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "groups = []\n",
    "for t in all_mobile['groups']:\n",
    "    groups.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(groups)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Mobile Malware**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 57,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Malware in Mobile ATT&CK\n",
      "74\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Malware in Mobile ATT&CK\")\n",
    "print(len(all_mobile['malware']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 58,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>external_references</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>name</th>\n",
       "      <th>id</th>\n",
       "      <th>type</th>\n",
       "      <th>labels</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_aliases</th>\n",
       "      <th>x_mitre_platforms</th>\n",
       "      <th>x_mitre_contributors</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>[{'external_id': 'S0509', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[FakeSpy](https://attack.mitre.org/software/S0...</td>\n",
       "      <td>FakeSpy</td>\n",
       "      <td>malware--838f647e-8ff8-48bd-bbd5-613cee7736cb</td>\n",
       "      <td>malware</td>\n",
       "      <td>[malware]</td>\n",
       "      <td>2020-10-06T20:09:57.659Z</td>\n",
       "      <td>2020-09-15T15:18:11.971Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[FakeSpy]</td>\n",
       "      <td>[Android]</td>\n",
       "      <td>[Ofir Almkias, Cybereason]</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>[{'external_id': 'S0507', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[eSurv](https://attack.mitre.org/software/S050...</td>\n",
       "      <td>eSurv</td>\n",
       "      <td>malware--680f680c-eef9-4f8a-b5f5-f451bf47e403</td>\n",
       "      <td>malware</td>\n",
       "      <td>[malware]</td>\n",
       "      <td>2020-09-14T15:39:17.698Z</td>\n",
       "      <td>2020-09-14T14:13:45.032Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[eSurv]</td>\n",
       "      <td>[Android, iOS]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>[{'external_id': 'S0506', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[ViperRAT](https://attack.mitre.org/software/S...</td>\n",
       "      <td>ViperRAT</td>\n",
       "      <td>malware--f666e17c-b290-43b3-8947-b96bd5148fbb</td>\n",
       "      <td>malware</td>\n",
       "      <td>[malware]</td>\n",
       "      <td>2020-09-29T20:03:42.662Z</td>\n",
       "      <td>2020-09-11T16:22:02.954Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[ViperRAT]</td>\n",
       "      <td>[Android]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>[{'external_id': 'S0505', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Desert Scorpion](https://attack.mitre.org/sof...</td>\n",
       "      <td>Desert Scorpion</td>\n",
       "      <td>malware--3271c107-92c4-442e-9506-e76d62230ee8</td>\n",
       "      <td>malware</td>\n",
       "      <td>[malware]</td>\n",
       "      <td>2020-09-11T16:23:16.039Z</td>\n",
       "      <td>2020-09-11T14:54:16.188Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Desert Scorpion]</td>\n",
       "      <td>[Android]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                 external_references  \\\n",
       "0  [{'external_id': 'S0509', 'source_name': 'mitr...   \n",
       "1  [{'external_id': 'S0507', 'source_name': 'mitr...   \n",
       "2  [{'external_id': 'S0506', 'source_name': 'mitr...   \n",
       "3  [{'external_id': 'S0505', 'source_name': 'mitr...   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description             name  \\\n",
       "0  [FakeSpy](https://attack.mitre.org/software/S0...          FakeSpy   \n",
       "1  [eSurv](https://attack.mitre.org/software/S050...            eSurv   \n",
       "2  [ViperRAT](https://attack.mitre.org/software/S...         ViperRAT   \n",
       "3  [Desert Scorpion](https://attack.mitre.org/sof...  Desert Scorpion   \n",
       "\n",
       "                                              id     type     labels  \\\n",
       "0  malware--838f647e-8ff8-48bd-bbd5-613cee7736cb  malware  [malware]   \n",
       "1  malware--680f680c-eef9-4f8a-b5f5-f451bf47e403  malware  [malware]   \n",
       "2  malware--f666e17c-b290-43b3-8947-b96bd5148fbb  malware  [malware]   \n",
       "3  malware--3271c107-92c4-442e-9506-e76d62230ee8  malware  [malware]   \n",
       "\n",
       "                   modified                   created x_mitre_version  \\\n",
       "0  2020-10-06T20:09:57.659Z  2020-09-15T15:18:11.971Z             1.0   \n",
       "1  2020-09-14T15:39:17.698Z  2020-09-14T14:13:45.032Z             1.0   \n",
       "2  2020-09-29T20:03:42.662Z  2020-09-11T16:22:02.954Z             1.0   \n",
       "3  2020-09-11T16:23:16.039Z  2020-09-11T14:54:16.188Z             1.0   \n",
       "\n",
       "     x_mitre_aliases x_mitre_platforms        x_mitre_contributors  \\\n",
       "0          [FakeSpy]         [Android]  [Ofir Almkias, Cybereason]   \n",
       "1            [eSurv]    [Android, iOS]                         NaN   \n",
       "2         [ViperRAT]         [Android]                         NaN   \n",
       "3  [Desert Scorpion]         [Android]                         NaN   \n",
       "\n",
       "  x_mitre_old_attack_id  \n",
       "0                   NaN  \n",
       "1                   NaN  \n",
       "2                   NaN  \n",
       "3                   NaN  "
      ]
     },
     "execution_count": 58,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "malware = []\n",
    "for t in all_mobile['malware']:\n",
    "    malware.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(malware)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Mobile Tools**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 59,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Tools in Mobile ATT&CK\n",
      "2\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Tools in Mobile ATT&CK\")\n",
    "print(len(all_mobile['tools']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 60,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>external_references</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>name</th>\n",
       "      <th>id</th>\n",
       "      <th>type</th>\n",
       "      <th>labels</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_aliases</th>\n",
       "      <th>x_mitre_platforms</th>\n",
       "      <th>x_mitre_contributors</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>[{'external_id': 'S0408', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[FlexiSpy](https://attack.mitre.org/software/S...</td>\n",
       "      <td>FlexiSpy</td>\n",
       "      <td>tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81</td>\n",
       "      <td>tool</td>\n",
       "      <td>[tool]</td>\n",
       "      <td>2019-10-14T18:08:28.349Z</td>\n",
       "      <td>2019-09-04T15:38:56.070Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[FlexiSpy]</td>\n",
       "      <td>[Android]</td>\n",
       "      <td>[Emily Ratliff, IBM]</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>[{'source_name': 'mitre-mobile-attack', 'url':...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Xbot](https://attack.mitre.org/software/S0298...</td>\n",
       "      <td>Xbot</td>\n",
       "      <td>tool--da21929e-40c0-443d-bdf4-6b60d15448b4</td>\n",
       "      <td>tool</td>\n",
       "      <td>[tool]</td>\n",
       "      <td>2018-12-11T20:40:31.461Z</td>\n",
       "      <td>2017-10-25T14:48:48.609Z</td>\n",
       "      <td>1.1</td>\n",
       "      <td>[Xbot]</td>\n",
       "      <td>[Android]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>MOB-S0014</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                 external_references  \\\n",
       "0  [{'external_id': 'S0408', 'source_name': 'mitr...   \n",
       "1  [{'source_name': 'mitre-mobile-attack', 'url':...   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description      name  \\\n",
       "0  [FlexiSpy](https://attack.mitre.org/software/S...  FlexiSpy   \n",
       "1  [Xbot](https://attack.mitre.org/software/S0298...      Xbot   \n",
       "\n",
       "                                           id  type  labels  \\\n",
       "0  tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81  tool  [tool]   \n",
       "1  tool--da21929e-40c0-443d-bdf4-6b60d15448b4  tool  [tool]   \n",
       "\n",
       "                   modified                   created x_mitre_version  \\\n",
       "0  2019-10-14T18:08:28.349Z  2019-09-04T15:38:56.070Z             1.0   \n",
       "1  2018-12-11T20:40:31.461Z  2017-10-25T14:48:48.609Z             1.1   \n",
       "\n",
       "  x_mitre_aliases x_mitre_platforms  x_mitre_contributors  \\\n",
       "0      [FlexiSpy]         [Android]  [Emily Ratliff, IBM]   \n",
       "1          [Xbot]         [Android]                   NaN   \n",
       "\n",
       "  x_mitre_old_attack_id  \n",
       "0                   NaN  \n",
       "1             MOB-S0014  "
      ]
     },
     "execution_count": 60,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "tools = []\n",
    "for t in all_mobile['tools']:\n",
    "    tools.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(tools)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Mobile Relationships**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 61,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Relationships in Mobile ATT&CK\n",
      "795\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Relationships in Mobile ATT&CK\")\n",
    "print(len(all_mobile['relationships']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 62,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>id</th>\n",
       "      <th>type</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>source_ref</th>\n",
       "      <th>relationship_type</th>\n",
       "      <th>target_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>external_references</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--39f46abc-d9e3-463d-9340-3bc8334a...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2020-10-23T15:05:40.967Z</td>\n",
       "      <td>2020-10-23T15:05:40.967Z</td>\n",
       "      <td>attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab...</td>\n",
       "      <td>revoked-by</td>\n",
       "      <td>attack-pattern--77e30eee-fd48-40b4-99ec-73e97c...</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--e373111c-aa34-4686-a286-7c9b4267...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2020-10-01T12:43:42.238Z</td>\n",
       "      <td>2020-09-30T14:48:16.522Z</td>\n",
       "      <td>course-of-action--0beabf44-e8d8-4ae4-9122-ef56...</td>\n",
       "      <td>mitigates</td>\n",
       "      <td>attack-pattern--8197f026-64da-4700-93b9-b55ba5...</td>\n",
       "      <td>New OS releases frequently contain additional ...</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--37459382-00b7-4699-a294-d25f53bf...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2020-10-01T12:42:21.985Z</td>\n",
       "      <td>2020-09-30T14:36:43.256Z</td>\n",
       "      <td>course-of-action--0beabf44-e8d8-4ae4-9122-ef56...</td>\n",
       "      <td>mitigates</td>\n",
       "      <td>attack-pattern--77e30eee-fd48-40b4-99ec-73e97c...</td>\n",
       "      <td>iOS 11 introduced a first-come-first-served pr...</td>\n",
       "      <td>[{'source_name': 'Trend Micro iOS URL Hijackin...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--455b1287-5784-42b4-91fb-01dac007...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2020-09-29T13:24:15.234Z</td>\n",
       "      <td>2020-09-29T13:24:15.234Z</td>\n",
       "      <td>malware--317a2c10-d489-431e-b6b2-f0251fddc88e</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd2...</td>\n",
       "      <td>[Dendroid](https://attack.mitre.org/software/S...</td>\n",
       "      <td>[{'source_name': 'Lookout-Dendroid', 'descript...</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                                  id          type  \\\n",
       "0  relationship--39f46abc-d9e3-463d-9340-3bc8334a...  relationship   \n",
       "1  relationship--e373111c-aa34-4686-a286-7c9b4267...  relationship   \n",
       "2  relationship--37459382-00b7-4699-a294-d25f53bf...  relationship   \n",
       "3  relationship--455b1287-5784-42b4-91fb-01dac007...  relationship   \n",
       "\n",
       "                   modified                   created  \\\n",
       "0  2020-10-23T15:05:40.967Z  2020-10-23T15:05:40.967Z   \n",
       "1  2020-10-01T12:43:42.238Z  2020-09-30T14:48:16.522Z   \n",
       "2  2020-10-01T12:42:21.985Z  2020-09-30T14:36:43.256Z   \n",
       "3  2020-09-29T13:24:15.234Z  2020-09-29T13:24:15.234Z   \n",
       "\n",
       "                                          source_ref relationship_type  \\\n",
       "0  attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab...        revoked-by   \n",
       "1  course-of-action--0beabf44-e8d8-4ae4-9122-ef56...         mitigates   \n",
       "2  course-of-action--0beabf44-e8d8-4ae4-9122-ef56...         mitigates   \n",
       "3      malware--317a2c10-d489-431e-b6b2-f0251fddc88e              uses   \n",
       "\n",
       "                                          target_ref  \\\n",
       "0  attack-pattern--77e30eee-fd48-40b4-99ec-73e97c...   \n",
       "1  attack-pattern--8197f026-64da-4700-93b9-b55ba5...   \n",
       "2  attack-pattern--77e30eee-fd48-40b4-99ec-73e97c...   \n",
       "3  attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd2...   \n",
       "\n",
       "                                         description  \\\n",
       "0                                                NaN   \n",
       "1  New OS releases frequently contain additional ...   \n",
       "2  iOS 11 introduced a first-come-first-served pr...   \n",
       "3  [Dendroid](https://attack.mitre.org/software/S...   \n",
       "\n",
       "                                 external_references  \n",
       "0                                                NaN  \n",
       "1                                                NaN  \n",
       "2  [{'source_name': 'Trend Micro iOS URL Hijackin...  \n",
       "3  [{'source_name': 'Lookout-Dendroid', 'descript...  "
      ]
     },
     "execution_count": 62,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "relations = []\n",
    "for t in all_mobile['relationships']:\n",
    "    relations.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(relations)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## **Get STIX Object Types Directly from TAXII Server (Enterprise ATT&CK, Pre-ATT&CK & Mobile ATT&CK)**\n",
    "* In this section, we will query the ATT&CK TAXII Server directly in order to collect specific stix object types such as techniques, mitigations, groups, malware, tools and relationships from the Enterprise, PRE and Mobile Matrices.\n",
    "* There is no need to get all the stix objects available per each matrix unlike the first section of this notebook."
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Enterprise Techniques ONLY (TAXII)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 63,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Techniques in Enterprise ATT&CK\n",
      "665\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Techniques in Enterprise ATT&CK\")\n",
    "techniques = lift.get_enterprise_techniques()\n",
    "print(len(techniques))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 64,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>id</th>\n",
       "      <th>description</th>\n",
       "      <th>name</th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>external_references</th>\n",
       "      <th>type</th>\n",
       "      <th>kill_chain_phases</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>...</th>\n",
       "      <th>x_mitre_permissions_required</th>\n",
       "      <th>x_mitre_defense_bypassed</th>\n",
       "      <th>x_mitre_contributors</th>\n",
       "      <th>x_mitre_system_requirements</th>\n",
       "      <th>x_mitre_network_requirements</th>\n",
       "      <th>x_mitre_effective_permissions</th>\n",
       "      <th>x_mitre_remote_support</th>\n",
       "      <th>x_mitre_impact_type</th>\n",
       "      <th>revoked</th>\n",
       "      <th>x_mitre_deprecated</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>attack-pattern--818302b2-d640-477b-bf88-873120...</td>\n",
       "      <td>Adversaries may abuse scripting or built-in co...</td>\n",
       "      <td>Network Device CLI</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>[{'kill_chain_name': 'mitre-attack', 'phase_na...</td>\n",
       "      <td>2020-10-22T16:43:38.388Z</td>\n",
       "      <td>2020-10-20T00:09:33.072Z</td>\n",
       "      <td>...</td>\n",
       "      <td>[Administrator, User]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf...</td>\n",
       "      <td>Adversaries may access network configuration f...</td>\n",
       "      <td>Network Device Configuration Dump</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>[{'kill_chain_name': 'mitre-attack', 'phase_na...</td>\n",
       "      <td>2020-10-22T01:45:55.144Z</td>\n",
       "      <td>2020-10-20T00:08:21.745Z</td>\n",
       "      <td>...</td>\n",
       "      <td>[Administrator]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>attack-pattern--28abec6c-4443-4b03-8206-07f2e2...</td>\n",
       "      <td>Adversaries may abuse netbooting to load an un...</td>\n",
       "      <td>TFTP Boot</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>[{'kill_chain_name': 'mitre-attack', 'phase_na...</td>\n",
       "      <td>2020-10-22T16:35:53.806Z</td>\n",
       "      <td>2020-10-20T00:06:56.180Z</td>\n",
       "      <td>...</td>\n",
       "      <td>[Administrator]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>attack-pattern--a6557c75-798f-42e4-be70-ab4502...</td>\n",
       "      <td>Adversaries may abuse the ROM Monitor (ROMMON)...</td>\n",
       "      <td>ROMMONkit</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>[{'kill_chain_name': 'mitre-attack', 'phase_na...</td>\n",
       "      <td>2020-10-22T02:18:19.568Z</td>\n",
       "      <td>2020-10-20T00:05:48.790Z</td>\n",
       "      <td>...</td>\n",
       "      <td>[Administrator]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "<p>4 rows × 25 columns</p>\n",
       "</div>"
      ],
      "text/plain": [
       "                                                  id  \\\n",
       "0  attack-pattern--818302b2-d640-477b-bf88-873120...   \n",
       "1  attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf...   \n",
       "2  attack-pattern--28abec6c-4443-4b03-8206-07f2e2...   \n",
       "3  attack-pattern--a6557c75-798f-42e4-be70-ab4502...   \n",
       "\n",
       "                                         description  \\\n",
       "0  Adversaries may abuse scripting or built-in co...   \n",
       "1  Adversaries may access network configuration f...   \n",
       "2  Adversaries may abuse netbooting to load an un...   \n",
       "3  Adversaries may abuse the ROM Monitor (ROMMON)...   \n",
       "\n",
       "                                name  \\\n",
       "0                 Network Device CLI   \n",
       "1  Network Device Configuration Dump   \n",
       "2                          TFTP Boot   \n",
       "3                          ROMMONkit   \n",
       "\n",
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                 external_references            type  \\\n",
       "0  [{'source_name': 'mitre-attack', 'external_id'...  attack-pattern   \n",
       "1  [{'source_name': 'mitre-attack', 'external_id'...  attack-pattern   \n",
       "2  [{'source_name': 'mitre-attack', 'external_id'...  attack-pattern   \n",
       "3  [{'source_name': 'mitre-attack', 'external_id'...  attack-pattern   \n",
       "\n",
       "                                   kill_chain_phases  \\\n",
       "0  [{'kill_chain_name': 'mitre-attack', 'phase_na...   \n",
       "1  [{'kill_chain_name': 'mitre-attack', 'phase_na...   \n",
       "2  [{'kill_chain_name': 'mitre-attack', 'phase_na...   \n",
       "3  [{'kill_chain_name': 'mitre-attack', 'phase_na...   \n",
       "\n",
       "                   modified                   created  ...  \\\n",
       "0  2020-10-22T16:43:38.388Z  2020-10-20T00:09:33.072Z  ...   \n",
       "1  2020-10-22T01:45:55.144Z  2020-10-20T00:08:21.745Z  ...   \n",
       "2  2020-10-22T16:35:53.806Z  2020-10-20T00:06:56.180Z  ...   \n",
       "3  2020-10-22T02:18:19.568Z  2020-10-20T00:05:48.790Z  ...   \n",
       "\n",
       "  x_mitre_permissions_required x_mitre_defense_bypassed x_mitre_contributors  \\\n",
       "0        [Administrator, User]                      NaN                  NaN   \n",
       "1              [Administrator]                      NaN                  NaN   \n",
       "2              [Administrator]                      NaN                  NaN   \n",
       "3              [Administrator]                      NaN                  NaN   \n",
       "\n",
       "  x_mitre_system_requirements x_mitre_network_requirements  \\\n",
       "0                         NaN                          NaN   \n",
       "1                         NaN                          NaN   \n",
       "2                         NaN                          NaN   \n",
       "3                         NaN                          NaN   \n",
       "\n",
       "  x_mitre_effective_permissions x_mitre_remote_support x_mitre_impact_type  \\\n",
       "0                           NaN                    NaN                 NaN   \n",
       "1                           NaN                    NaN                 NaN   \n",
       "2                           NaN                    NaN                 NaN   \n",
       "3                           NaN                    NaN                 NaN   \n",
       "\n",
       "  revoked x_mitre_deprecated  \n",
       "0     NaN                NaN  \n",
       "1     NaN                NaN  \n",
       "2     NaN                NaN  \n",
       "3     NaN                NaN  \n",
       "\n",
       "[4 rows x 25 columns]"
      ]
     },
     "execution_count": 64,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "techniques_list = []\n",
    "for t in techniques:\n",
    "    techniques_list.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(techniques_list)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All PRE Techniques ONLY (TAXII)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 65,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Techniques in PRE-ATT&CK\n"
     ]
    },
    {
     "name": "stderr",
     "output_type": "stream",
     "text": [
      "/usr/local/lib/python3.8/site-packages/attackcti/attack_api.py:455: UserWarning: PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application\n",
      "  warnings.warn(\"PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application\")\n"
     ]
    },
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "174\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Techniques in PRE-ATT&CK\")\n",
    "techniques = lift.get_pre_techniques()\n",
    "print(len(techniques))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 66,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>id</th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>name</th>\n",
       "      <th>description</th>\n",
       "      <th>external_references</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>type</th>\n",
       "      <th>kill_chain_phases</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_is_subtechnique</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_difficulty_for_adversary_explanation</th>\n",
       "      <th>x_mitre_difficulty_for_adversary</th>\n",
       "      <th>x_mitre_detectable_by_common_defenses_explanation</th>\n",
       "      <th>x_mitre_detectable_by_common_defenses</th>\n",
       "      <th>x_mitre_deprecated</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>attack-pattern--b182f29c-2505-4b32-a000-0440ef...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Spearphishing for Information</td>\n",
       "      <td>This object is deprecated as its content has b...</td>\n",
       "      <td>[{'source_name': 'mitre-pre-attack', 'url': 'h...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>[{'kill_chain_name': 'mitre-pre-attack', 'phas...</td>\n",
       "      <td>2020-10-26T13:42:49.342Z</td>\n",
       "      <td>2018-04-18T17:59:24.739Z</td>\n",
       "      <td>False</td>\n",
       "      <td>PRE-T1174</td>\n",
       "      <td>1.0</td>\n",
       "      <td>Sending emails is trivial, and, over time, an ...</td>\n",
       "      <td>Yes</td>\n",
       "      <td>Depending on the specific method of phishing, ...</td>\n",
       "      <td>Partial</td>\n",
       "      <td>True</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>attack-pattern--2b9a666e-bd59-4f67-9031-ed41b4...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Acquire OSINT data sets and information</td>\n",
       "      <td>This object is deprecated as its content has b...</td>\n",
       "      <td>[{'source_name': 'mitre-pre-attack', 'url': 'h...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>[{'kill_chain_name': 'mitre-pre-attack', 'phas...</td>\n",
       "      <td>2020-10-26T13:42:49.342Z</td>\n",
       "      <td>2017-12-14T16:46:06.044Z</td>\n",
       "      <td>NaN</td>\n",
       "      <td>PRE-T1043</td>\n",
       "      <td>1.0</td>\n",
       "      <td>Possible to gather digital intelligence about ...</td>\n",
       "      <td>Yes</td>\n",
       "      <td>This activity is indistinguishable from legiti...</td>\n",
       "      <td>No</td>\n",
       "      <td>True</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>attack-pattern--1a295f87-af63-4d94-b130-039d62...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Acquire and/or use 3rd party software services</td>\n",
       "      <td>This object is deprecated as its content has b...</td>\n",
       "      <td>[{'source_name': 'mitre-pre-attack', 'url': 'h...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>[{'kill_chain_name': 'mitre-pre-attack', 'phas...</td>\n",
       "      <td>2020-10-26T13:42:49.342Z</td>\n",
       "      <td>2017-12-14T16:46:06.044Z</td>\n",
       "      <td>NaN</td>\n",
       "      <td>PRE-T1085</td>\n",
       "      <td>1.0</td>\n",
       "      <td>3rd party services like these listed are freel...</td>\n",
       "      <td>Yes</td>\n",
       "      <td>Defender will not have visibility over account...</td>\n",
       "      <td>No</td>\n",
       "      <td>True</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>attack-pattern--fe421ab9-c8f3-42f7-9ae1-5d6c32...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Analyze application security posture</td>\n",
       "      <td>This object is deprecated as its content has b...</td>\n",
       "      <td>[{'source_name': 'mitre-pre-attack', 'url': 'h...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>[{'kill_chain_name': 'mitre-pre-attack', 'phas...</td>\n",
       "      <td>2020-10-26T13:42:49.342Z</td>\n",
       "      <td>2017-12-14T16:46:06.044Z</td>\n",
       "      <td>NaN</td>\n",
       "      <td>PRE-T1070</td>\n",
       "      <td>1.0</td>\n",
       "      <td>Analyze technical scanning results to identify...</td>\n",
       "      <td>Yes</td>\n",
       "      <td>This can be done offline after the data has be...</td>\n",
       "      <td>No</td>\n",
       "      <td>True</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                                  id  \\\n",
       "0  attack-pattern--b182f29c-2505-4b32-a000-0440ef...   \n",
       "1  attack-pattern--2b9a666e-bd59-4f67-9031-ed41b4...   \n",
       "2  attack-pattern--1a295f87-af63-4d94-b130-039d62...   \n",
       "3  attack-pattern--fe421ab9-c8f3-42f7-9ae1-5d6c32...   \n",
       "\n",
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                             name  \\\n",
       "0                   Spearphishing for Information   \n",
       "1         Acquire OSINT data sets and information   \n",
       "2  Acquire and/or use 3rd party software services   \n",
       "3            Analyze application security posture   \n",
       "\n",
       "                                         description  \\\n",
       "0  This object is deprecated as its content has b...   \n",
       "1  This object is deprecated as its content has b...   \n",
       "2  This object is deprecated as its content has b...   \n",
       "3  This object is deprecated as its content has b...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'source_name': 'mitre-pre-attack', 'url': 'h...   \n",
       "1  [{'source_name': 'mitre-pre-attack', 'url': 'h...   \n",
       "2  [{'source_name': 'mitre-pre-attack', 'url': 'h...   \n",
       "3  [{'source_name': 'mitre-pre-attack', 'url': 'h...   \n",
       "\n",
       "                                 object_marking_refs            type  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...  attack-pattern   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...  attack-pattern   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...  attack-pattern   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...  attack-pattern   \n",
       "\n",
       "                                   kill_chain_phases  \\\n",
       "0  [{'kill_chain_name': 'mitre-pre-attack', 'phas...   \n",
       "1  [{'kill_chain_name': 'mitre-pre-attack', 'phas...   \n",
       "2  [{'kill_chain_name': 'mitre-pre-attack', 'phas...   \n",
       "3  [{'kill_chain_name': 'mitre-pre-attack', 'phas...   \n",
       "\n",
       "                   modified                   created x_mitre_is_subtechnique  \\\n",
       "0  2020-10-26T13:42:49.342Z  2018-04-18T17:59:24.739Z                   False   \n",
       "1  2020-10-26T13:42:49.342Z  2017-12-14T16:46:06.044Z                     NaN   \n",
       "2  2020-10-26T13:42:49.342Z  2017-12-14T16:46:06.044Z                     NaN   \n",
       "3  2020-10-26T13:42:49.342Z  2017-12-14T16:46:06.044Z                     NaN   \n",
       "\n",
       "  x_mitre_old_attack_id x_mitre_version  \\\n",
       "0             PRE-T1174             1.0   \n",
       "1             PRE-T1043             1.0   \n",
       "2             PRE-T1085             1.0   \n",
       "3             PRE-T1070             1.0   \n",
       "\n",
       "        x_mitre_difficulty_for_adversary_explanation  \\\n",
       "0  Sending emails is trivial, and, over time, an ...   \n",
       "1  Possible to gather digital intelligence about ...   \n",
       "2  3rd party services like these listed are freel...   \n",
       "3  Analyze technical scanning results to identify...   \n",
       "\n",
       "  x_mitre_difficulty_for_adversary  \\\n",
       "0                              Yes   \n",
       "1                              Yes   \n",
       "2                              Yes   \n",
       "3                              Yes   \n",
       "\n",
       "   x_mitre_detectable_by_common_defenses_explanation  \\\n",
       "0  Depending on the specific method of phishing, ...   \n",
       "1  This activity is indistinguishable from legiti...   \n",
       "2  Defender will not have visibility over account...   \n",
       "3  This can be done offline after the data has be...   \n",
       "\n",
       "  x_mitre_detectable_by_common_defenses  x_mitre_deprecated  \n",
       "0                               Partial                True  \n",
       "1                                    No                True  \n",
       "2                                    No                True  \n",
       "3                                    No                True  "
      ]
     },
     "execution_count": 66,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "techniques_list = []\n",
    "for t in techniques:\n",
    "    techniques_list.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(techniques_list)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Mobile Techniques ONLY (TAXII)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 67,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Techniques in Mobile ATT&CK\n",
      "104\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Techniques in Mobile ATT&CK\")\n",
    "techniques = lift.get_mobile_techniques()\n",
    "print(len(techniques))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 68,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>external_references</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>name</th>\n",
       "      <th>description</th>\n",
       "      <th>id</th>\n",
       "      <th>type</th>\n",
       "      <th>kill_chain_phases</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_is_subtechnique</th>\n",
       "      <th>x_mitre_tactic_type</th>\n",
       "      <th>x_mitre_detection</th>\n",
       "      <th>x_mitre_platforms</th>\n",
       "      <th>x_mitre_contributors</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "      <th>revoked</th>\n",
       "      <th>x_mitre_deprecated</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>[{'source_name': 'mitre-mobile-attack', 'exter...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>SMS Control</td>\n",
       "      <td>Adversaries may delete, alter, or send SMS mes...</td>\n",
       "      <td>attack-pattern--b327a9c0-e709-495c-aa6e-00b042...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>[{'kill_chain_name': 'mitre-mobile-attack', 'p...</td>\n",
       "      <td>2020-10-22T17:04:15.578Z</td>\n",
       "      <td>2020-09-11T15:14:33.730Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>False</td>\n",
       "      <td>[Post-Adversary Device Access]</td>\n",
       "      <td>Users can view the default SMS handler in syst...</td>\n",
       "      <td>[Android]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>[{'source_name': 'mitre-mobile-attack', 'exter...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Geofencing</td>\n",
       "      <td>Adversaries may use a device’s geographical lo...</td>\n",
       "      <td>attack-pattern--8197f026-64da-4700-93b9-b55ba5...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>[{'kill_chain_name': 'mitre-mobile-attack', 'p...</td>\n",
       "      <td>2020-10-01T12:43:41.494Z</td>\n",
       "      <td>2020-09-11T15:04:14.532Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>False</td>\n",
       "      <td>[Post-Adversary Device Access]</td>\n",
       "      <td>Users can review which applications have locat...</td>\n",
       "      <td>[Android, iOS]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>[{'source_name': 'mitre-mobile-attack', 'exter...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Keychain</td>\n",
       "      <td>Adversaries may collect the keychain storage d...</td>\n",
       "      <td>attack-pattern--27f483c6-6666-44fa-8532-ffd5fc...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>[{'kill_chain_name': 'mitre-mobile-attack', 'p...</td>\n",
       "      <td>2020-06-24T19:02:46.237Z</td>\n",
       "      <td>2020-06-24T17:33:49.778Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>False</td>\n",
       "      <td>[Post-Adversary Device Access]</td>\n",
       "      <td>Mobile security products can potentially detec...</td>\n",
       "      <td>[iOS]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>[{'source_name': 'mitre-mobile-attack', 'exter...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Compromise Application Executable</td>\n",
       "      <td>Adversaries may modify applications installed ...</td>\n",
       "      <td>attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e5631...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>[{'kill_chain_name': 'mitre-mobile-attack', 'p...</td>\n",
       "      <td>2020-05-27T13:23:34.159Z</td>\n",
       "      <td>2020-05-07T15:24:49.068Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>False</td>\n",
       "      <td>[Post-Adversary Device Access]</td>\n",
       "      <td>This behavior is seamless to the user and is t...</td>\n",
       "      <td>[Android]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                 external_references  \\\n",
       "0  [{'source_name': 'mitre-mobile-attack', 'exter...   \n",
       "1  [{'source_name': 'mitre-mobile-attack', 'exter...   \n",
       "2  [{'source_name': 'mitre-mobile-attack', 'exter...   \n",
       "3  [{'source_name': 'mitre-mobile-attack', 'exter...   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                name  \\\n",
       "0                        SMS Control   \n",
       "1                         Geofencing   \n",
       "2                           Keychain   \n",
       "3  Compromise Application Executable   \n",
       "\n",
       "                                         description  \\\n",
       "0  Adversaries may delete, alter, or send SMS mes...   \n",
       "1  Adversaries may use a device’s geographical lo...   \n",
       "2  Adversaries may collect the keychain storage d...   \n",
       "3  Adversaries may modify applications installed ...   \n",
       "\n",
       "                                                  id            type  \\\n",
       "0  attack-pattern--b327a9c0-e709-495c-aa6e-00b042...  attack-pattern   \n",
       "1  attack-pattern--8197f026-64da-4700-93b9-b55ba5...  attack-pattern   \n",
       "2  attack-pattern--27f483c6-6666-44fa-8532-ffd5fc...  attack-pattern   \n",
       "3  attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e5631...  attack-pattern   \n",
       "\n",
       "                                   kill_chain_phases  \\\n",
       "0  [{'kill_chain_name': 'mitre-mobile-attack', 'p...   \n",
       "1  [{'kill_chain_name': 'mitre-mobile-attack', 'p...   \n",
       "2  [{'kill_chain_name': 'mitre-mobile-attack', 'p...   \n",
       "3  [{'kill_chain_name': 'mitre-mobile-attack', 'p...   \n",
       "\n",
       "                   modified                   created x_mitre_version  \\\n",
       "0  2020-10-22T17:04:15.578Z  2020-09-11T15:14:33.730Z             1.0   \n",
       "1  2020-10-01T12:43:41.494Z  2020-09-11T15:04:14.532Z             1.0   \n",
       "2  2020-06-24T19:02:46.237Z  2020-06-24T17:33:49.778Z             1.0   \n",
       "3  2020-05-27T13:23:34.159Z  2020-05-07T15:24:49.068Z             1.0   \n",
       "\n",
       "  x_mitre_is_subtechnique             x_mitre_tactic_type  \\\n",
       "0                   False  [Post-Adversary Device Access]   \n",
       "1                   False  [Post-Adversary Device Access]   \n",
       "2                   False  [Post-Adversary Device Access]   \n",
       "3                   False  [Post-Adversary Device Access]   \n",
       "\n",
       "                                   x_mitre_detection x_mitre_platforms  \\\n",
       "0  Users can view the default SMS handler in syst...         [Android]   \n",
       "1  Users can review which applications have locat...    [Android, iOS]   \n",
       "2  Mobile security products can potentially detec...             [iOS]   \n",
       "3  This behavior is seamless to the user and is t...         [Android]   \n",
       "\n",
       "  x_mitre_contributors x_mitre_old_attack_id revoked x_mitre_deprecated  \n",
       "0                  NaN                   NaN     NaN                NaN  \n",
       "1                  NaN                   NaN     NaN                NaN  \n",
       "2                  NaN                   NaN     NaN                NaN  \n",
       "3                  NaN                   NaN     NaN                NaN  "
      ]
     },
     "execution_count": 68,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "techniques_list = []\n",
    "for t in techniques:\n",
    "    techniques_list.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(techniques_list)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Techniques (TAXII)\n",
    "* The results of this function shows every single technique across the whole ATT&CK framework without their mitigations information\n",
    "* Mitigations information has its own stix object type (Mitigation) that needs to be correlated with the help of relationship properties\n",
    "* There is a function already created in this library named **get_techniques_with_mitigations()** that allows you to get a more complete view of techniques"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 69,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Techniques in ATT&CK\n",
      "1024\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Techniques in ATT&CK\")\n",
    "techniques = lift.get_techniques()\n",
    "print(len(techniques))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 70,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>id</th>\n",
       "      <th>description</th>\n",
       "      <th>name</th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>external_references</th>\n",
       "      <th>type</th>\n",
       "      <th>kill_chain_phases</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>...</th>\n",
       "      <th>x_mitre_remote_support</th>\n",
       "      <th>x_mitre_impact_type</th>\n",
       "      <th>revoked</th>\n",
       "      <th>x_mitre_deprecated</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "      <th>x_mitre_difficulty_for_adversary_explanation</th>\n",
       "      <th>x_mitre_difficulty_for_adversary</th>\n",
       "      <th>x_mitre_detectable_by_common_defenses_explanation</th>\n",
       "      <th>x_mitre_detectable_by_common_defenses</th>\n",
       "      <th>x_mitre_tactic_type</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>attack-pattern--818302b2-d640-477b-bf88-873120...</td>\n",
       "      <td>Adversaries may abuse scripting or built-in co...</td>\n",
       "      <td>Network Device CLI</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>[{'kill_chain_name': 'mitre-attack', 'phase_na...</td>\n",
       "      <td>2020-10-22T16:43:38.388Z</td>\n",
       "      <td>2020-10-20T00:09:33.072Z</td>\n",
       "      <td>...</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf...</td>\n",
       "      <td>Adversaries may access network configuration f...</td>\n",
       "      <td>Network Device Configuration Dump</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>[{'kill_chain_name': 'mitre-attack', 'phase_na...</td>\n",
       "      <td>2020-10-22T01:45:55.144Z</td>\n",
       "      <td>2020-10-20T00:08:21.745Z</td>\n",
       "      <td>...</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>attack-pattern--28abec6c-4443-4b03-8206-07f2e2...</td>\n",
       "      <td>Adversaries may abuse netbooting to load an un...</td>\n",
       "      <td>TFTP Boot</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>[{'kill_chain_name': 'mitre-attack', 'phase_na...</td>\n",
       "      <td>2020-10-22T16:35:53.806Z</td>\n",
       "      <td>2020-10-20T00:06:56.180Z</td>\n",
       "      <td>...</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>attack-pattern--a6557c75-798f-42e4-be70-ab4502...</td>\n",
       "      <td>Adversaries may abuse the ROM Monitor (ROMMON)...</td>\n",
       "      <td>ROMMONkit</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>[{'kill_chain_name': 'mitre-attack', 'phase_na...</td>\n",
       "      <td>2020-10-22T02:18:19.568Z</td>\n",
       "      <td>2020-10-20T00:05:48.790Z</td>\n",
       "      <td>...</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "<p>4 rows × 31 columns</p>\n",
       "</div>"
      ],
      "text/plain": [
       "                                                  id  \\\n",
       "0  attack-pattern--818302b2-d640-477b-bf88-873120...   \n",
       "1  attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf...   \n",
       "2  attack-pattern--28abec6c-4443-4b03-8206-07f2e2...   \n",
       "3  attack-pattern--a6557c75-798f-42e4-be70-ab4502...   \n",
       "\n",
       "                                         description  \\\n",
       "0  Adversaries may abuse scripting or built-in co...   \n",
       "1  Adversaries may access network configuration f...   \n",
       "2  Adversaries may abuse netbooting to load an un...   \n",
       "3  Adversaries may abuse the ROM Monitor (ROMMON)...   \n",
       "\n",
       "                                name  \\\n",
       "0                 Network Device CLI   \n",
       "1  Network Device Configuration Dump   \n",
       "2                          TFTP Boot   \n",
       "3                          ROMMONkit   \n",
       "\n",
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                 external_references            type  \\\n",
       "0  [{'source_name': 'mitre-attack', 'external_id'...  attack-pattern   \n",
       "1  [{'source_name': 'mitre-attack', 'external_id'...  attack-pattern   \n",
       "2  [{'source_name': 'mitre-attack', 'external_id'...  attack-pattern   \n",
       "3  [{'source_name': 'mitre-attack', 'external_id'...  attack-pattern   \n",
       "\n",
       "                                   kill_chain_phases  \\\n",
       "0  [{'kill_chain_name': 'mitre-attack', 'phase_na...   \n",
       "1  [{'kill_chain_name': 'mitre-attack', 'phase_na...   \n",
       "2  [{'kill_chain_name': 'mitre-attack', 'phase_na...   \n",
       "3  [{'kill_chain_name': 'mitre-attack', 'phase_na...   \n",
       "\n",
       "                   modified                   created  ...  \\\n",
       "0  2020-10-22T16:43:38.388Z  2020-10-20T00:09:33.072Z  ...   \n",
       "1  2020-10-22T01:45:55.144Z  2020-10-20T00:08:21.745Z  ...   \n",
       "2  2020-10-22T16:35:53.806Z  2020-10-20T00:06:56.180Z  ...   \n",
       "3  2020-10-22T02:18:19.568Z  2020-10-20T00:05:48.790Z  ...   \n",
       "\n",
       "  x_mitre_remote_support x_mitre_impact_type revoked x_mitre_deprecated  \\\n",
       "0                    NaN                 NaN     NaN                NaN   \n",
       "1                    NaN                 NaN     NaN                NaN   \n",
       "2                    NaN                 NaN     NaN                NaN   \n",
       "3                    NaN                 NaN     NaN                NaN   \n",
       "\n",
       "  x_mitre_old_attack_id x_mitre_difficulty_for_adversary_explanation  \\\n",
       "0                   NaN                                          NaN   \n",
       "1                   NaN                                          NaN   \n",
       "2                   NaN                                          NaN   \n",
       "3                   NaN                                          NaN   \n",
       "\n",
       "  x_mitre_difficulty_for_adversary  \\\n",
       "0                              NaN   \n",
       "1                              NaN   \n",
       "2                              NaN   \n",
       "3                              NaN   \n",
       "\n",
       "  x_mitre_detectable_by_common_defenses_explanation  \\\n",
       "0                                               NaN   \n",
       "1                                               NaN   \n",
       "2                                               NaN   \n",
       "3                                               NaN   \n",
       "\n",
       "  x_mitre_detectable_by_common_defenses x_mitre_tactic_type  \n",
       "0                                   NaN                 NaN  \n",
       "1                                   NaN                 NaN  \n",
       "2                                   NaN                 NaN  \n",
       "3                                   NaN                 NaN  \n",
       "\n",
       "[4 rows x 31 columns]"
      ]
     },
     "execution_count": 70,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "techniques_list = []\n",
    "for t in techniques:\n",
    "    techniques_list.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(techniques_list)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Enterprise Mitigations ONLY (TAXII)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 71,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Mitigations in Enterprise ATT&CK\n",
      "267\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Mitigations in Enterprise ATT&CK\")\n",
    "mitigations = lift.get_enterprise_mitigations()\n",
    "print(len(mitigations))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 72,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>external_references</th>\n",
       "      <th>description</th>\n",
       "      <th>name</th>\n",
       "      <th>id</th>\n",
       "      <th>type</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_deprecated</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>This category is used for any applicable mitig...</td>\n",
       "      <td>Pre-compromise</td>\n",
       "      <td>course-of-action--78bb71be-92b4-46de-acd6-5f99...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>2020-10-20T19:52:32.439Z</td>\n",
       "      <td>2020-10-19T14:57:58.771Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>This category is to associate techniques that ...</td>\n",
       "      <td>Do Not Mitigate</td>\n",
       "      <td>course-of-action--787fb64d-c87b-4ee5-a341-0ef1...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>2019-07-23T14:44:24.727Z</td>\n",
       "      <td>2019-07-19T14:58:42.715Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>Implement configuration changes to software (o...</td>\n",
       "      <td>Software Configuration</td>\n",
       "      <td>course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>2020-03-31T13:11:09.471Z</td>\n",
       "      <td>2019-07-19T14:40:23.529Z</td>\n",
       "      <td>1.1</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>Take and store data backups from end user syst...</td>\n",
       "      <td>Data Backup</td>\n",
       "      <td>course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>2020-03-31T13:11:28.201Z</td>\n",
       "      <td>2019-07-19T14:33:33.543Z</td>\n",
       "      <td>1.1</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'source_name': 'mitre-attack', 'external_id'...   \n",
       "1  [{'source_name': 'mitre-attack', 'external_id'...   \n",
       "2  [{'source_name': 'mitre-attack', 'external_id'...   \n",
       "3  [{'source_name': 'mitre-attack', 'external_id'...   \n",
       "\n",
       "                                         description                    name  \\\n",
       "0  This category is used for any applicable mitig...          Pre-compromise   \n",
       "1  This category is to associate techniques that ...         Do Not Mitigate   \n",
       "2  Implement configuration changes to software (o...  Software Configuration   \n",
       "3  Take and store data backups from end user syst...             Data Backup   \n",
       "\n",
       "                                                  id              type  \\\n",
       "0  course-of-action--78bb71be-92b4-46de-acd6-5f99...  course-of-action   \n",
       "1  course-of-action--787fb64d-c87b-4ee5-a341-0ef1...  course-of-action   \n",
       "2  course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8...  course-of-action   \n",
       "3  course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73...  course-of-action   \n",
       "\n",
       "                   modified                   created x_mitre_version  \\\n",
       "0  2020-10-20T19:52:32.439Z  2020-10-19T14:57:58.771Z             1.0   \n",
       "1  2019-07-23T14:44:24.727Z  2019-07-19T14:58:42.715Z             1.0   \n",
       "2  2020-03-31T13:11:09.471Z  2019-07-19T14:40:23.529Z             1.1   \n",
       "3  2020-03-31T13:11:28.201Z  2019-07-19T14:33:33.543Z             1.1   \n",
       "\n",
       "  x_mitre_deprecated x_mitre_old_attack_id  \n",
       "0                NaN                   NaN  \n",
       "1                NaN                   NaN  \n",
       "2                NaN                   NaN  \n",
       "3                NaN                   NaN  "
      ]
     },
     "execution_count": 72,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "mitigations_list = []\n",
    "for t in mitigations:\n",
    "    mitigations_list.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(mitigations_list)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Mobile Mitigations ONLY (TAXII)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 73,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Mitigations in Mobile ATT&CK\n",
      "13\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Mitigations in Mobile ATT&CK\")\n",
    "mitigations = lift.get_mobile_mitigations()\n",
    "print(len(mitigations))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 74,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>external_references</th>\n",
       "      <th>name</th>\n",
       "      <th>description</th>\n",
       "      <th>id</th>\n",
       "      <th>type</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>User Guidance</td>\n",
       "      <td>Describes any guidance or training given to us...</td>\n",
       "      <td>course-of-action--653492e3-27be-4a0e-b08c-938d...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>2019-10-18T15:51:48.318Z</td>\n",
       "      <td>2019-10-18T12:53:03.508Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>Security Updates</td>\n",
       "      <td>Install security updates in response to discov...</td>\n",
       "      <td>course-of-action--bcecd036-f40e-4916-9f8e-fd0c...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>2019-10-18T14:56:15.631Z</td>\n",
       "      <td>2019-10-18T12:51:36.488Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>Attestation</td>\n",
       "      <td>Enable remote attestation capabilities when av...</td>\n",
       "      <td>course-of-action--ff4821f6-5afb-481b-8c0f-26c2...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>2019-10-18T14:52:53.019Z</td>\n",
       "      <td>2019-10-18T12:50:35.335Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>Application Vetting</td>\n",
       "      <td>Enterprises can vet applications for exploitab...</td>\n",
       "      <td>course-of-action--1553b156-6767-47f7-9eb4-2a69...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>2019-10-18T15:53:07.393Z</td>\n",
       "      <td>2019-10-18T12:49:58.924Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                 external_references                 name  \\\n",
       "0  [{'source_name': 'mitre-attack', 'external_id'...        User Guidance   \n",
       "1  [{'source_name': 'mitre-attack', 'external_id'...     Security Updates   \n",
       "2  [{'source_name': 'mitre-attack', 'external_id'...          Attestation   \n",
       "3  [{'source_name': 'mitre-attack', 'external_id'...  Application Vetting   \n",
       "\n",
       "                                         description  \\\n",
       "0  Describes any guidance or training given to us...   \n",
       "1  Install security updates in response to discov...   \n",
       "2  Enable remote attestation capabilities when av...   \n",
       "3  Enterprises can vet applications for exploitab...   \n",
       "\n",
       "                                                  id              type  \\\n",
       "0  course-of-action--653492e3-27be-4a0e-b08c-938d...  course-of-action   \n",
       "1  course-of-action--bcecd036-f40e-4916-9f8e-fd0c...  course-of-action   \n",
       "2  course-of-action--ff4821f6-5afb-481b-8c0f-26c2...  course-of-action   \n",
       "3  course-of-action--1553b156-6767-47f7-9eb4-2a69...  course-of-action   \n",
       "\n",
       "                   modified                   created x_mitre_version  \\\n",
       "0  2019-10-18T15:51:48.318Z  2019-10-18T12:53:03.508Z             1.0   \n",
       "1  2019-10-18T14:56:15.631Z  2019-10-18T12:51:36.488Z             1.0   \n",
       "2  2019-10-18T14:52:53.019Z  2019-10-18T12:50:35.335Z             1.0   \n",
       "3  2019-10-18T15:53:07.393Z  2019-10-18T12:49:58.924Z             1.0   \n",
       "\n",
       "  x_mitre_old_attack_id  \n",
       "0                   NaN  \n",
       "1                   NaN  \n",
       "2                   NaN  \n",
       "3                   NaN  "
      ]
     },
     "execution_count": 74,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "mitigations_list = []\n",
    "for t in mitigations:\n",
    "    mitigations_list.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(mitigations_list)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Mitigations (TAXII)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 75,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Mitigations in ATT&CK\n",
      "296\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Mitigations in ATT&CK\")\n",
    "mitigations = lift.get_mitigations()\n",
    "print(len(mitigations))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 76,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>external_references</th>\n",
       "      <th>description</th>\n",
       "      <th>name</th>\n",
       "      <th>id</th>\n",
       "      <th>type</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_deprecated</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>This category is used for any applicable mitig...</td>\n",
       "      <td>Pre-compromise</td>\n",
       "      <td>course-of-action--78bb71be-92b4-46de-acd6-5f99...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>2020-10-20T19:52:32.439Z</td>\n",
       "      <td>2020-10-19T14:57:58.771Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>This category is to associate techniques that ...</td>\n",
       "      <td>Do Not Mitigate</td>\n",
       "      <td>course-of-action--787fb64d-c87b-4ee5-a341-0ef1...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>2019-07-23T14:44:24.727Z</td>\n",
       "      <td>2019-07-19T14:58:42.715Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>Implement configuration changes to software (o...</td>\n",
       "      <td>Software Configuration</td>\n",
       "      <td>course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>2020-03-31T13:11:09.471Z</td>\n",
       "      <td>2019-07-19T14:40:23.529Z</td>\n",
       "      <td>1.1</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'external_id'...</td>\n",
       "      <td>Take and store data backups from end user syst...</td>\n",
       "      <td>Data Backup</td>\n",
       "      <td>course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>2020-03-31T13:11:28.201Z</td>\n",
       "      <td>2019-07-19T14:33:33.543Z</td>\n",
       "      <td>1.1</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'source_name': 'mitre-attack', 'external_id'...   \n",
       "1  [{'source_name': 'mitre-attack', 'external_id'...   \n",
       "2  [{'source_name': 'mitre-attack', 'external_id'...   \n",
       "3  [{'source_name': 'mitre-attack', 'external_id'...   \n",
       "\n",
       "                                         description                    name  \\\n",
       "0  This category is used for any applicable mitig...          Pre-compromise   \n",
       "1  This category is to associate techniques that ...         Do Not Mitigate   \n",
       "2  Implement configuration changes to software (o...  Software Configuration   \n",
       "3  Take and store data backups from end user syst...             Data Backup   \n",
       "\n",
       "                                                  id              type  \\\n",
       "0  course-of-action--78bb71be-92b4-46de-acd6-5f99...  course-of-action   \n",
       "1  course-of-action--787fb64d-c87b-4ee5-a341-0ef1...  course-of-action   \n",
       "2  course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8...  course-of-action   \n",
       "3  course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73...  course-of-action   \n",
       "\n",
       "                   modified                   created x_mitre_version  \\\n",
       "0  2020-10-20T19:52:32.439Z  2020-10-19T14:57:58.771Z             1.0   \n",
       "1  2019-07-23T14:44:24.727Z  2019-07-19T14:58:42.715Z             1.0   \n",
       "2  2020-03-31T13:11:09.471Z  2019-07-19T14:40:23.529Z             1.1   \n",
       "3  2020-03-31T13:11:28.201Z  2019-07-19T14:33:33.543Z             1.1   \n",
       "\n",
       "  x_mitre_deprecated x_mitre_old_attack_id  \n",
       "0                NaN                   NaN  \n",
       "1                NaN                   NaN  \n",
       "2                NaN                   NaN  \n",
       "3                NaN                   NaN  "
      ]
     },
     "execution_count": 76,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "mitigations_list = []\n",
    "for t in mitigations:\n",
    "    mitigations_list.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(mitigations_list)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Enterprise Groups ONLY (TAXII)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 77,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Groups in Enterprise ATT&CK\n",
      "110\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Groups in Enterprise ATT&CK\")\n",
    "groups = lift.get_enterprise_groups()\n",
    "print(len(groups))"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All PRE Groups ONLY (TAXII)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 78,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Groups in PRE-ATT&CK\n",
      "7\n"
     ]
    },
    {
     "name": "stderr",
     "output_type": "stream",
     "text": [
      "/usr/local/lib/python3.8/site-packages/attackcti/attack_api.py:473: UserWarning: PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application\n",
      "  warnings.warn(\"PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application\")\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Groups in PRE-ATT&CK\")\n",
    "groups = lift.get_pre_groups()\n",
    "print(len(groups))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 79,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>external_references</th>\n",
       "      <th>name</th>\n",
       "      <th>description</th>\n",
       "      <th>type</th>\n",
       "      <th>id</th>\n",
       "      <th>aliases</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_contributors</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'url': 'https://attack.mitre.org/groups/G008...</td>\n",
       "      <td>TEMP.Veles</td>\n",
       "      <td>[TEMP.Veles](https://attack.mitre.org/groups/G...</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca...</td>\n",
       "      <td>[TEMP.Veles, XENOTIME]</td>\n",
       "      <td>2020-10-04T23:31:36.937Z</td>\n",
       "      <td>2019-04-16T15:14:38.533Z</td>\n",
       "      <td>1.2</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'url': 'https...</td>\n",
       "      <td>APT17</td>\n",
       "      <td>[APT17](https://attack.mitre.org/groups/G0025)...</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>intrusion-set--090242d7-73fc-4738-af68-20162f7...</td>\n",
       "      <td>[APT17, Deputy Dog]</td>\n",
       "      <td>2020-10-13T22:33:14.018Z</td>\n",
       "      <td>2017-05-31T21:31:57.307Z</td>\n",
       "      <td>1.1</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'url': 'https...</td>\n",
       "      <td>APT16</td>\n",
       "      <td>[APT16](https://attack.mitre.org/groups/G0023)...</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>intrusion-set--d6e88e18-81e8-4709-82d8-973095d...</td>\n",
       "      <td>[APT16]</td>\n",
       "      <td>2020-10-12T19:54:58.537Z</td>\n",
       "      <td>2017-05-31T21:31:56.270Z</td>\n",
       "      <td>1.1</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'url': 'https...</td>\n",
       "      <td>Night Dragon</td>\n",
       "      <td>[Night Dragon](https://attack.mitre.org/groups...</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e...</td>\n",
       "      <td>[Night Dragon]</td>\n",
       "      <td>2020-10-15T00:54:00.656Z</td>\n",
       "      <td>2017-05-31T21:31:51.643Z</td>\n",
       "      <td>1.3</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                 external_references          name  \\\n",
       "0  [{'url': 'https://attack.mitre.org/groups/G008...    TEMP.Veles   \n",
       "1  [{'source_name': 'mitre-attack', 'url': 'https...         APT17   \n",
       "2  [{'source_name': 'mitre-attack', 'url': 'https...         APT16   \n",
       "3  [{'source_name': 'mitre-attack', 'url': 'https...  Night Dragon   \n",
       "\n",
       "                                         description           type  \\\n",
       "0  [TEMP.Veles](https://attack.mitre.org/groups/G...  intrusion-set   \n",
       "1  [APT17](https://attack.mitre.org/groups/G0025)...  intrusion-set   \n",
       "2  [APT16](https://attack.mitre.org/groups/G0023)...  intrusion-set   \n",
       "3  [Night Dragon](https://attack.mitre.org/groups...  intrusion-set   \n",
       "\n",
       "                                                  id                 aliases  \\\n",
       "0  intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca...  [TEMP.Veles, XENOTIME]   \n",
       "1  intrusion-set--090242d7-73fc-4738-af68-20162f7...     [APT17, Deputy Dog]   \n",
       "2  intrusion-set--d6e88e18-81e8-4709-82d8-973095d...                 [APT16]   \n",
       "3  intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e...          [Night Dragon]   \n",
       "\n",
       "                   modified                   created x_mitre_version  \\\n",
       "0  2020-10-04T23:31:36.937Z  2019-04-16T15:14:38.533Z             1.2   \n",
       "1  2020-10-13T22:33:14.018Z  2017-05-31T21:31:57.307Z             1.1   \n",
       "2  2020-10-12T19:54:58.537Z  2017-05-31T21:31:56.270Z             1.1   \n",
       "3  2020-10-15T00:54:00.656Z  2017-05-31T21:31:51.643Z             1.3   \n",
       "\n",
       "  x_mitre_contributors  \n",
       "0                  NaN  \n",
       "1                  NaN  \n",
       "2                  NaN  \n",
       "3                  NaN  "
      ]
     },
     "execution_count": 79,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "groups_list = []\n",
    "for t in groups:\n",
    "    groups_list.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(groups_list)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Mobile Groups ONLY (TAXII)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 80,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Groups in Mobile ATT&CK\n",
      "3\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Groups in Mobile ATT&CK\")\n",
    "groups = lift.get_mobile_groups()\n",
    "print(len(groups))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 81,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>external_references</th>\n",
       "      <th>description</th>\n",
       "      <th>name</th>\n",
       "      <th>type</th>\n",
       "      <th>id</th>\n",
       "      <th>aliases</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_contributors</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'G0097', 'source_name': 'mitr...</td>\n",
       "      <td>[Bouncing Golf](https://attack.mitre.org/group...</td>\n",
       "      <td>Bouncing Golf</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a...</td>\n",
       "      <td>[Bouncing Golf]</td>\n",
       "      <td>2020-03-26T20:58:44.722Z</td>\n",
       "      <td>2020-01-27T16:55:39.688Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'mitre-attack', 'url': 'https...</td>\n",
       "      <td>[Dark Caracal](https://attack.mitre.org/groups...</td>\n",
       "      <td>Dark Caracal</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74...</td>\n",
       "      <td>[Dark Caracal]</td>\n",
       "      <td>2020-06-03T20:22:40.401Z</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>1.2</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'G0007', 'url': 'https://atta...</td>\n",
       "      <td>[APT28](https://attack.mitre.org/groups/G0007)...</td>\n",
       "      <td>APT28</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e8...</td>\n",
       "      <td>[APT28, SNAKEMACKEREL, Swallowtail, Group 74, ...</td>\n",
       "      <td>2020-10-06T23:32:21.793Z</td>\n",
       "      <td>2017-05-31T21:31:48.664Z</td>\n",
       "      <td>3.0</td>\n",
       "      <td>[Sébastien Ruel, CGI, Drew Church, Splunk, Emi...</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'external_id': 'G0097', 'source_name': 'mitr...   \n",
       "1  [{'source_name': 'mitre-attack', 'url': 'https...   \n",
       "2  [{'external_id': 'G0007', 'url': 'https://atta...   \n",
       "\n",
       "                                         description           name  \\\n",
       "0  [Bouncing Golf](https://attack.mitre.org/group...  Bouncing Golf   \n",
       "1  [Dark Caracal](https://attack.mitre.org/groups...   Dark Caracal   \n",
       "2  [APT28](https://attack.mitre.org/groups/G0007)...          APT28   \n",
       "\n",
       "            type                                                 id  \\\n",
       "0  intrusion-set  intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a...   \n",
       "1  intrusion-set  intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74...   \n",
       "2  intrusion-set  intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e8...   \n",
       "\n",
       "                                             aliases  \\\n",
       "0                                    [Bouncing Golf]   \n",
       "1                                     [Dark Caracal]   \n",
       "2  [APT28, SNAKEMACKEREL, Swallowtail, Group 74, ...   \n",
       "\n",
       "                   modified                   created x_mitre_version  \\\n",
       "0  2020-03-26T20:58:44.722Z  2020-01-27T16:55:39.688Z             1.0   \n",
       "1  2020-06-03T20:22:40.401Z  2018-10-17T00:14:20.652Z             1.2   \n",
       "2  2020-10-06T23:32:21.793Z  2017-05-31T21:31:48.664Z             3.0   \n",
       "\n",
       "                                x_mitre_contributors  \n",
       "0                                                NaN  \n",
       "1                                                NaN  \n",
       "2  [Sébastien Ruel, CGI, Drew Church, Splunk, Emi...  "
      ]
     },
     "execution_count": 81,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "groups_list = []\n",
    "for t in groups:\n",
    "    groups_list.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(groups_list)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Groups (TAXII)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "* This function gathers all groups defined in each Matrix (Enterprise, PRE & Mobile) and returns the unique ones\n",
    "  * This is because groups can be repeated across matrices"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 82,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Groups in ATT&CK\n",
      "113\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Groups in ATT&CK\")\n",
    "groups = lift.get_groups()\n",
    "print(len(groups))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 83,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>external_references</th>\n",
       "      <th>name</th>\n",
       "      <th>description</th>\n",
       "      <th>type</th>\n",
       "      <th>id</th>\n",
       "      <th>aliases</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_contributors</th>\n",
       "      <th>revoked</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'G0115', 'source_name': 'mitr...</td>\n",
       "      <td>GOLD SOUTHFIELD</td>\n",
       "      <td>[GOLD SOUTHFIELD](https://attack.mitre.org/gro...</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a...</td>\n",
       "      <td>[GOLD SOUTHFIELD]</td>\n",
       "      <td>2020-10-06T15:32:20.089Z</td>\n",
       "      <td>2020-09-22T19:41:27.845Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'G0114', 'source_name': 'mitr...</td>\n",
       "      <td>Chimera</td>\n",
       "      <td>[Chimera](https://attack.mitre.org/groups/G011...</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>intrusion-set--8c1f0187-0826-4320-bddc-5f326cf...</td>\n",
       "      <td>[Chimera]</td>\n",
       "      <td>2020-10-05T20:59:57.694Z</td>\n",
       "      <td>2020-08-24T17:01:55.842Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'G0112', 'source_name': 'mitr...</td>\n",
       "      <td>Windshift</td>\n",
       "      <td>[Windshift](https://attack.mitre.org/groups/G0...</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a...</td>\n",
       "      <td>[Windshift, Bahamut]</td>\n",
       "      <td>2020-06-26T13:46:14.122Z</td>\n",
       "      <td>2020-06-25T17:16:39.168Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'G0108', 'source_name': 'mitr...</td>\n",
       "      <td>Blue Mockingbird</td>\n",
       "      <td>[Blue Mockingbird](https://attack.mitre.org/gr...</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>intrusion-set--73a80fab-2aa3-48e0-a4d0-3a48282...</td>\n",
       "      <td>[Blue Mockingbird]</td>\n",
       "      <td>2020-06-25T13:59:09.596Z</td>\n",
       "      <td>2020-05-26T20:09:39.139Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Tony Lambert, Red Canary]</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                 external_references              name  \\\n",
       "0  [{'external_id': 'G0115', 'source_name': 'mitr...   GOLD SOUTHFIELD   \n",
       "1  [{'external_id': 'G0114', 'source_name': 'mitr...           Chimera   \n",
       "2  [{'external_id': 'G0112', 'source_name': 'mitr...         Windshift   \n",
       "3  [{'external_id': 'G0108', 'source_name': 'mitr...  Blue Mockingbird   \n",
       "\n",
       "                                         description           type  \\\n",
       "0  [GOLD SOUTHFIELD](https://attack.mitre.org/gro...  intrusion-set   \n",
       "1  [Chimera](https://attack.mitre.org/groups/G011...  intrusion-set   \n",
       "2  [Windshift](https://attack.mitre.org/groups/G0...  intrusion-set   \n",
       "3  [Blue Mockingbird](https://attack.mitre.org/gr...  intrusion-set   \n",
       "\n",
       "                                                  id               aliases  \\\n",
       "0  intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a...     [GOLD SOUTHFIELD]   \n",
       "1  intrusion-set--8c1f0187-0826-4320-bddc-5f326cf...             [Chimera]   \n",
       "2  intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a...  [Windshift, Bahamut]   \n",
       "3  intrusion-set--73a80fab-2aa3-48e0-a4d0-3a48282...    [Blue Mockingbird]   \n",
       "\n",
       "                   modified                   created x_mitre_version  \\\n",
       "0  2020-10-06T15:32:20.089Z  2020-09-22T19:41:27.845Z             1.0   \n",
       "1  2020-10-05T20:59:57.694Z  2020-08-24T17:01:55.842Z             1.0   \n",
       "2  2020-06-26T13:46:14.122Z  2020-06-25T17:16:39.168Z             1.0   \n",
       "3  2020-06-25T13:59:09.596Z  2020-05-26T20:09:39.139Z             1.0   \n",
       "\n",
       "         x_mitre_contributors revoked  \n",
       "0                         NaN     NaN  \n",
       "1                         NaN     NaN  \n",
       "2                         NaN     NaN  \n",
       "3  [Tony Lambert, Red Canary]     NaN  "
      ]
     },
     "execution_count": 83,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "groups_list = []\n",
    "for t in groups:\n",
    "    groups_list.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(groups_list)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Enterprise & Mobile Software (Malware & Tools) (TAXII)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 84,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Software in ATT&CK\n",
      "523\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Software in ATT&CK\")\n",
    "software = lift.get_software()\n",
    "print(len(software))"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Enterprise Relationships ONLY (TAXII)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 85,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>id</th>\n",
       "      <th>name</th>\n",
       "      <th>description</th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>external_references</th>\n",
       "      <th>type</th>\n",
       "      <th>labels</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_aliases</th>\n",
       "      <th>x_mitre_platforms</th>\n",
       "      <th>x_mitre_contributors</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "      <th>revoked</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>tool--975737f1-b10d-476f-8bda-3ec26ea57172</td>\n",
       "      <td>MCMD</td>\n",
       "      <td>[MCMD](https://attack.mitre.org/software/S0500...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'S0500', 'source_name': 'mitr...</td>\n",
       "      <td>tool</td>\n",
       "      <td>[tool]</td>\n",
       "      <td>2020-08-20T14:52:23.369Z</td>\n",
       "      <td>2020-08-13T17:15:25.702Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[MCMD]</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>tool--c4810609-7da6-48ec-8057-1b70a7814db0</td>\n",
       "      <td>CrackMapExec</td>\n",
       "      <td>[CrackMapExec](https://attack.mitre.org/softwa...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'S0488', 'source_name': 'mitr...</td>\n",
       "      <td>tool</td>\n",
       "      <td>[tool]</td>\n",
       "      <td>2020-07-29T20:19:40.544Z</td>\n",
       "      <td>2020-07-17T14:23:05.958Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[CrackMapExec]</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4</td>\n",
       "      <td>CARROTBALL</td>\n",
       "      <td>[CARROTBALL](https://attack.mitre.org/software...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'S0465', 'source_name': 'mitr...</td>\n",
       "      <td>tool</td>\n",
       "      <td>[tool]</td>\n",
       "      <td>2020-06-10T14:44:23.055Z</td>\n",
       "      <td>2020-06-02T19:10:29.513Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[CARROTBALL]</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>tool--115f88dd-0618-4389-83cb-98d33ae81848</td>\n",
       "      <td>ShimRatReporter</td>\n",
       "      <td>[ShimRatReporter](https://attack.mitre.org/sof...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'external_id': 'S0445', 'source_name': 'mitr...</td>\n",
       "      <td>tool</td>\n",
       "      <td>[tool]</td>\n",
       "      <td>2020-05-27T22:39:28.701Z</td>\n",
       "      <td>2020-05-12T21:29:48.294Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[ShimRatReporter]</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                           id             name  \\\n",
       "0  tool--975737f1-b10d-476f-8bda-3ec26ea57172             MCMD   \n",
       "1  tool--c4810609-7da6-48ec-8057-1b70a7814db0     CrackMapExec   \n",
       "2  tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4       CARROTBALL   \n",
       "3  tool--115f88dd-0618-4389-83cb-98d33ae81848  ShimRatReporter   \n",
       "\n",
       "                                         description  \\\n",
       "0  [MCMD](https://attack.mitre.org/software/S0500...   \n",
       "1  [CrackMapExec](https://attack.mitre.org/softwa...   \n",
       "2  [CARROTBALL](https://attack.mitre.org/software...   \n",
       "3  [ShimRatReporter](https://attack.mitre.org/sof...   \n",
       "\n",
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                 external_references  type  labels  \\\n",
       "0  [{'external_id': 'S0500', 'source_name': 'mitr...  tool  [tool]   \n",
       "1  [{'external_id': 'S0488', 'source_name': 'mitr...  tool  [tool]   \n",
       "2  [{'external_id': 'S0465', 'source_name': 'mitr...  tool  [tool]   \n",
       "3  [{'external_id': 'S0445', 'source_name': 'mitr...  tool  [tool]   \n",
       "\n",
       "                   modified                   created x_mitre_version  \\\n",
       "0  2020-08-20T14:52:23.369Z  2020-08-13T17:15:25.702Z             1.0   \n",
       "1  2020-07-29T20:19:40.544Z  2020-07-17T14:23:05.958Z             1.0   \n",
       "2  2020-06-10T14:44:23.055Z  2020-06-02T19:10:29.513Z             1.0   \n",
       "3  2020-05-27T22:39:28.701Z  2020-05-12T21:29:48.294Z             1.0   \n",
       "\n",
       "     x_mitre_aliases x_mitre_platforms x_mitre_contributors  \\\n",
       "0             [MCMD]         [Windows]                  NaN   \n",
       "1     [CrackMapExec]         [Windows]                  NaN   \n",
       "2       [CARROTBALL]         [Windows]                  NaN   \n",
       "3  [ShimRatReporter]         [Windows]                  NaN   \n",
       "\n",
       "  x_mitre_old_attack_id revoked  \n",
       "0                   NaN     NaN  \n",
       "1                   NaN     NaN  \n",
       "2                   NaN     NaN  \n",
       "3                   NaN     NaN  "
      ]
     },
     "execution_count": 85,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "software_list = []\n",
    "for t in software:\n",
    "    software_list.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(software_list)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 86,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Relationships in Enterprise ATT&CK\n",
      "9263\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Relationships in Enterprise ATT&CK\")\n",
    "relationships = lift.get_enterprise_relationships()\n",
    "print(len(relationships))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 87,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>external_references</th>\n",
       "      <th>id</th>\n",
       "      <th>type</th>\n",
       "      <th>created</th>\n",
       "      <th>description</th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>modified</th>\n",
       "      <th>source_ref</th>\n",
       "      <th>relationship_type</th>\n",
       "      <th>target_ref</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...</td>\n",
       "      <td>relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2020-11-10T18:04:03.668Z</td>\n",
       "      <td>(Citation: FireEye KEGTAP SINGLEMALT October 2...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>2020-11-10T18:04:03.668Z</td>\n",
       "      <td>intrusion-set--dd2d9ca6-505b-4860-a604-233685b...</td>\n",
       "      <td>uses</td>\n",
       "      <td>malware--a7881f21-e978-4fe4-af56-92c9416a2616</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...</td>\n",
       "      <td>relationship--c118e50b-4559-4bff-bde5-78aa426f...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2020-11-10T18:04:03.666Z</td>\n",
       "      <td>(Citation: FireEye KEGTAP SINGLEMALT October 2...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>2020-11-10T18:04:03.666Z</td>\n",
       "      <td>intrusion-set--dd2d9ca6-505b-4860-a604-233685b...</td>\n",
       "      <td>uses</td>\n",
       "      <td>tool--afc079f3-c0ea-4096-b75d-3f05338b7f60</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'DFIR Ryuk's Return October 2...</td>\n",
       "      <td>relationship--43b9a1b5-6f95-4c6c-8e1f-59f9049e...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2020-11-10T18:04:03.589Z</td>\n",
       "      <td>(Citation: DFIR Ryuk's Return October 2020)(Ci...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>2020-11-10T18:04:03.589Z</td>\n",
       "      <td>intrusion-set--dd2d9ca6-505b-4860-a604-233685b...</td>\n",
       "      <td>uses</td>\n",
       "      <td>tool--b77b563c-34bb-4fb8-86a3-3694338f7b47</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...</td>\n",
       "      <td>relationship--585842e6-fe9a-4508-8e67-c232f8aa...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2020-11-10T18:04:03.571Z</td>\n",
       "      <td>(Citation: FireEye KEGTAP SINGLEMALT October 2...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>2020-11-10T18:04:03.571Z</td>\n",
       "      <td>intrusion-set--dd2d9ca6-505b-4860-a604-233685b...</td>\n",
       "      <td>uses</td>\n",
       "      <td>tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...   \n",
       "1  [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...   \n",
       "2  [{'source_name': 'DFIR Ryuk's Return October 2...   \n",
       "3  [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...   \n",
       "\n",
       "                                                  id          type  \\\n",
       "0  relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd...  relationship   \n",
       "1  relationship--c118e50b-4559-4bff-bde5-78aa426f...  relationship   \n",
       "2  relationship--43b9a1b5-6f95-4c6c-8e1f-59f9049e...  relationship   \n",
       "3  relationship--585842e6-fe9a-4508-8e67-c232f8aa...  relationship   \n",
       "\n",
       "                    created  \\\n",
       "0  2020-11-10T18:04:03.668Z   \n",
       "1  2020-11-10T18:04:03.666Z   \n",
       "2  2020-11-10T18:04:03.589Z   \n",
       "3  2020-11-10T18:04:03.571Z   \n",
       "\n",
       "                                         description  \\\n",
       "0  (Citation: FireEye KEGTAP SINGLEMALT October 2...   \n",
       "1  (Citation: FireEye KEGTAP SINGLEMALT October 2...   \n",
       "2  (Citation: DFIR Ryuk's Return October 2020)(Ci...   \n",
       "3  (Citation: FireEye KEGTAP SINGLEMALT October 2...   \n",
       "\n",
       "                                   created_by_ref                  modified  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5  2020-11-10T18:04:03.668Z   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5  2020-11-10T18:04:03.666Z   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5  2020-11-10T18:04:03.589Z   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5  2020-11-10T18:04:03.571Z   \n",
       "\n",
       "                                          source_ref relationship_type  \\\n",
       "0  intrusion-set--dd2d9ca6-505b-4860-a604-233685b...              uses   \n",
       "1  intrusion-set--dd2d9ca6-505b-4860-a604-233685b...              uses   \n",
       "2  intrusion-set--dd2d9ca6-505b-4860-a604-233685b...              uses   \n",
       "3  intrusion-set--dd2d9ca6-505b-4860-a604-233685b...              uses   \n",
       "\n",
       "                                      target_ref  \n",
       "0  malware--a7881f21-e978-4fe4-af56-92c9416a2616  \n",
       "1     tool--afc079f3-c0ea-4096-b75d-3f05338b7f60  \n",
       "2     tool--b77b563c-34bb-4fb8-86a3-3694338f7b47  \n",
       "3     tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf  "
      ]
     },
     "execution_count": 87,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "relations_list = []\n",
    "for t in relationships:\n",
    "    relations_list.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(relations_list)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All PRE Relationships ONLY (TAXII)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 88,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Relationships in PRE-ATT&CK\n",
      "69\n"
     ]
    },
    {
     "name": "stderr",
     "output_type": "stream",
     "text": [
      "/usr/local/lib/python3.8/site-packages/attackcti/attack_api.py:491: UserWarning: PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application\n",
      "  warnings.warn(\"PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application\")\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Relationships in PRE-ATT&CK\")\n",
    "relationships = lift.get_pre_relationships()\n",
    "print(len(relationships))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 89,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>external_references</th>\n",
       "      <th>description</th>\n",
       "      <th>id</th>\n",
       "      <th>type</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>source_ref</th>\n",
       "      <th>relationship_type</th>\n",
       "      <th>target_ref</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'Mandiant APT1', 'description...</td>\n",
       "      <td>[APT1](https://attack.mitre.org/groups/G0006) ...</td>\n",
       "      <td>relationship--980656e3-ba60-49ee-9ce8-cbe1a0dc...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2020-03-25T13:59:27.774Z</td>\n",
       "      <td>2020-03-25T13:59:27.774Z</td>\n",
       "      <td>intrusion-set--6a2e693f-24e5-451a-9f88-b36a108...</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--4900fabf-1142-4c1f-92f5-0b590e...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'description': 'Miller, S, et al. (2019, Apr...</td>\n",
       "      <td>[TEMP.Veles](https://attack.mitre.org/groups/G...</td>\n",
       "      <td>relationship--21842707-0f15-43bf-bc42-2bceadf2...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2019-04-29T18:59:16.596Z</td>\n",
       "      <td>2019-04-24T19:45:44.212Z</td>\n",
       "      <td>intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca...</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--20a66013-8dab-4ca3-a67d-766c84...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'description': 'Miller, S, et al. (2019, Apr...</td>\n",
       "      <td>[TEMP.Veles](https://attack.mitre.org/groups/G...</td>\n",
       "      <td>relationship--2d95ed6f-52e7-4708-af15-9a6c0839...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2019-04-29T18:59:16.595Z</td>\n",
       "      <td>2019-04-24T19:45:44.205Z</td>\n",
       "      <td>intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca...</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--795c1a92-3a26-453e-b99a-6a566a...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>relationship--83379e43-4bc5-4c49-b0b3-f41161e8...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2019-02-19T18:56:56.770Z</td>\n",
       "      <td>2019-02-19T18:56:56.770Z</td>\n",
       "      <td>attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1...</td>\n",
       "      <td>related-to</td>\n",
       "      <td>attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf42...</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'source_name': 'Mandiant APT1', 'description...   \n",
       "1  [{'description': 'Miller, S, et al. (2019, Apr...   \n",
       "2  [{'description': 'Miller, S, et al. (2019, Apr...   \n",
       "3                                                NaN   \n",
       "\n",
       "                                         description  \\\n",
       "0  [APT1](https://attack.mitre.org/groups/G0006) ...   \n",
       "1  [TEMP.Veles](https://attack.mitre.org/groups/G...   \n",
       "2  [TEMP.Veles](https://attack.mitre.org/groups/G...   \n",
       "3                                                NaN   \n",
       "\n",
       "                                                  id          type  \\\n",
       "0  relationship--980656e3-ba60-49ee-9ce8-cbe1a0dc...  relationship   \n",
       "1  relationship--21842707-0f15-43bf-bc42-2bceadf2...  relationship   \n",
       "2  relationship--2d95ed6f-52e7-4708-af15-9a6c0839...  relationship   \n",
       "3  relationship--83379e43-4bc5-4c49-b0b3-f41161e8...  relationship   \n",
       "\n",
       "                   modified                   created  \\\n",
       "0  2020-03-25T13:59:27.774Z  2020-03-25T13:59:27.774Z   \n",
       "1  2019-04-29T18:59:16.596Z  2019-04-24T19:45:44.212Z   \n",
       "2  2019-04-29T18:59:16.595Z  2019-04-24T19:45:44.205Z   \n",
       "3  2019-02-19T18:56:56.770Z  2019-02-19T18:56:56.770Z   \n",
       "\n",
       "                                          source_ref relationship_type  \\\n",
       "0  intrusion-set--6a2e693f-24e5-451a-9f88-b36a108...              uses   \n",
       "1  intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca...              uses   \n",
       "2  intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca...              uses   \n",
       "3  attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1...        related-to   \n",
       "\n",
       "                                          target_ref  \n",
       "0  attack-pattern--4900fabf-1142-4c1f-92f5-0b590e...  \n",
       "1  attack-pattern--20a66013-8dab-4ca3-a67d-766c84...  \n",
       "2  attack-pattern--795c1a92-3a26-453e-b99a-6a566a...  \n",
       "3  attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf42...  "
      ]
     },
     "execution_count": 89,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "relations_list = []\n",
    "for t in relationships:\n",
    "    relations_list.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(relations_list)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Mobile Relationships ONLY (TAXII)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 90,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Relationships in Mobile ATT&CK\n",
      "795\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Relationships in Mobile ATT&CK\")\n",
    "relationships = lift.get_mobile_relationships()\n",
    "print(len(relationships))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 91,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>id</th>\n",
       "      <th>type</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>source_ref</th>\n",
       "      <th>relationship_type</th>\n",
       "      <th>target_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>external_references</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--39f46abc-d9e3-463d-9340-3bc8334a...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2020-10-23T15:05:40.967Z</td>\n",
       "      <td>2020-10-23T15:05:40.967Z</td>\n",
       "      <td>attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab...</td>\n",
       "      <td>revoked-by</td>\n",
       "      <td>attack-pattern--77e30eee-fd48-40b4-99ec-73e97c...</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--e373111c-aa34-4686-a286-7c9b4267...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2020-10-01T12:43:42.238Z</td>\n",
       "      <td>2020-09-30T14:48:16.522Z</td>\n",
       "      <td>course-of-action--0beabf44-e8d8-4ae4-9122-ef56...</td>\n",
       "      <td>mitigates</td>\n",
       "      <td>attack-pattern--8197f026-64da-4700-93b9-b55ba5...</td>\n",
       "      <td>New OS releases frequently contain additional ...</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--37459382-00b7-4699-a294-d25f53bf...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2020-10-01T12:42:21.985Z</td>\n",
       "      <td>2020-09-30T14:36:43.256Z</td>\n",
       "      <td>course-of-action--0beabf44-e8d8-4ae4-9122-ef56...</td>\n",
       "      <td>mitigates</td>\n",
       "      <td>attack-pattern--77e30eee-fd48-40b4-99ec-73e97c...</td>\n",
       "      <td>iOS 11 introduced a first-come-first-served pr...</td>\n",
       "      <td>[{'source_name': 'Trend Micro iOS URL Hijackin...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--455b1287-5784-42b4-91fb-01dac007...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2020-09-29T13:24:15.234Z</td>\n",
       "      <td>2020-09-29T13:24:15.234Z</td>\n",
       "      <td>malware--317a2c10-d489-431e-b6b2-f0251fddc88e</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd2...</td>\n",
       "      <td>[Dendroid](https://attack.mitre.org/software/S...</td>\n",
       "      <td>[{'source_name': 'Lookout-Dendroid', 'descript...</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                                  id          type  \\\n",
       "0  relationship--39f46abc-d9e3-463d-9340-3bc8334a...  relationship   \n",
       "1  relationship--e373111c-aa34-4686-a286-7c9b4267...  relationship   \n",
       "2  relationship--37459382-00b7-4699-a294-d25f53bf...  relationship   \n",
       "3  relationship--455b1287-5784-42b4-91fb-01dac007...  relationship   \n",
       "\n",
       "                   modified                   created  \\\n",
       "0  2020-10-23T15:05:40.967Z  2020-10-23T15:05:40.967Z   \n",
       "1  2020-10-01T12:43:42.238Z  2020-09-30T14:48:16.522Z   \n",
       "2  2020-10-01T12:42:21.985Z  2020-09-30T14:36:43.256Z   \n",
       "3  2020-09-29T13:24:15.234Z  2020-09-29T13:24:15.234Z   \n",
       "\n",
       "                                          source_ref relationship_type  \\\n",
       "0  attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab...        revoked-by   \n",
       "1  course-of-action--0beabf44-e8d8-4ae4-9122-ef56...         mitigates   \n",
       "2  course-of-action--0beabf44-e8d8-4ae4-9122-ef56...         mitigates   \n",
       "3      malware--317a2c10-d489-431e-b6b2-f0251fddc88e              uses   \n",
       "\n",
       "                                          target_ref  \\\n",
       "0  attack-pattern--77e30eee-fd48-40b4-99ec-73e97c...   \n",
       "1  attack-pattern--8197f026-64da-4700-93b9-b55ba5...   \n",
       "2  attack-pattern--77e30eee-fd48-40b4-99ec-73e97c...   \n",
       "3  attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd2...   \n",
       "\n",
       "                                         description  \\\n",
       "0                                                NaN   \n",
       "1  New OS releases frequently contain additional ...   \n",
       "2  iOS 11 introduced a first-come-first-served pr...   \n",
       "3  [Dendroid](https://attack.mitre.org/software/S...   \n",
       "\n",
       "                                 external_references  \n",
       "0                                                NaN  \n",
       "1                                                NaN  \n",
       "2  [{'source_name': 'Trend Micro iOS URL Hijackin...  \n",
       "3  [{'source_name': 'Lookout-Dendroid', 'descript...  "
      ]
     },
     "execution_count": 91,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "relations_list = []\n",
    "for t in relationships:\n",
    "    relations_list.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(relations_list)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Relationships (TAXII)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 92,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Relationships in ATT&CK\n",
      "10635\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Relationships in ATT&CK\")\n",
    "relationships = lift.get_relationships()\n",
    "print(len(relationships))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 93,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>external_references</th>\n",
       "      <th>id</th>\n",
       "      <th>type</th>\n",
       "      <th>created</th>\n",
       "      <th>description</th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>modified</th>\n",
       "      <th>source_ref</th>\n",
       "      <th>relationship_type</th>\n",
       "      <th>target_ref</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...</td>\n",
       "      <td>relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2020-11-10T18:04:03.668Z</td>\n",
       "      <td>(Citation: FireEye KEGTAP SINGLEMALT October 2...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>2020-11-10T18:04:03.668Z</td>\n",
       "      <td>intrusion-set--dd2d9ca6-505b-4860-a604-233685b...</td>\n",
       "      <td>uses</td>\n",
       "      <td>malware--a7881f21-e978-4fe4-af56-92c9416a2616</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...</td>\n",
       "      <td>relationship--c118e50b-4559-4bff-bde5-78aa426f...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2020-11-10T18:04:03.666Z</td>\n",
       "      <td>(Citation: FireEye KEGTAP SINGLEMALT October 2...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>2020-11-10T18:04:03.666Z</td>\n",
       "      <td>intrusion-set--dd2d9ca6-505b-4860-a604-233685b...</td>\n",
       "      <td>uses</td>\n",
       "      <td>tool--afc079f3-c0ea-4096-b75d-3f05338b7f60</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'DFIR Ryuk's Return October 2...</td>\n",
       "      <td>relationship--43b9a1b5-6f95-4c6c-8e1f-59f9049e...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2020-11-10T18:04:03.589Z</td>\n",
       "      <td>(Citation: DFIR Ryuk's Return October 2020)(Ci...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>2020-11-10T18:04:03.589Z</td>\n",
       "      <td>intrusion-set--dd2d9ca6-505b-4860-a604-233685b...</td>\n",
       "      <td>uses</td>\n",
       "      <td>tool--b77b563c-34bb-4fb8-86a3-3694338f7b47</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>[{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...</td>\n",
       "      <td>relationship--585842e6-fe9a-4508-8e67-c232f8aa...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2020-11-10T18:04:03.571Z</td>\n",
       "      <td>(Citation: FireEye KEGTAP SINGLEMALT October 2...</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>2020-11-10T18:04:03.571Z</td>\n",
       "      <td>intrusion-set--dd2d9ca6-505b-4860-a604-233685b...</td>\n",
       "      <td>uses</td>\n",
       "      <td>tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...   \n",
       "1  [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...   \n",
       "2  [{'source_name': 'DFIR Ryuk's Return October 2...   \n",
       "3  [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...   \n",
       "\n",
       "                                                  id          type  \\\n",
       "0  relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd...  relationship   \n",
       "1  relationship--c118e50b-4559-4bff-bde5-78aa426f...  relationship   \n",
       "2  relationship--43b9a1b5-6f95-4c6c-8e1f-59f9049e...  relationship   \n",
       "3  relationship--585842e6-fe9a-4508-8e67-c232f8aa...  relationship   \n",
       "\n",
       "                    created  \\\n",
       "0  2020-11-10T18:04:03.668Z   \n",
       "1  2020-11-10T18:04:03.666Z   \n",
       "2  2020-11-10T18:04:03.589Z   \n",
       "3  2020-11-10T18:04:03.571Z   \n",
       "\n",
       "                                         description  \\\n",
       "0  (Citation: FireEye KEGTAP SINGLEMALT October 2...   \n",
       "1  (Citation: FireEye KEGTAP SINGLEMALT October 2...   \n",
       "2  (Citation: DFIR Ryuk's Return October 2020)(Ci...   \n",
       "3  (Citation: FireEye KEGTAP SINGLEMALT October 2...   \n",
       "\n",
       "                                   created_by_ref                  modified  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5  2020-11-10T18:04:03.668Z   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5  2020-11-10T18:04:03.666Z   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5  2020-11-10T18:04:03.589Z   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5  2020-11-10T18:04:03.571Z   \n",
       "\n",
       "                                          source_ref relationship_type  \\\n",
       "0  intrusion-set--dd2d9ca6-505b-4860-a604-233685b...              uses   \n",
       "1  intrusion-set--dd2d9ca6-505b-4860-a604-233685b...              uses   \n",
       "2  intrusion-set--dd2d9ca6-505b-4860-a604-233685b...              uses   \n",
       "3  intrusion-set--dd2d9ca6-505b-4860-a604-233685b...              uses   \n",
       "\n",
       "                                      target_ref  \n",
       "0  malware--a7881f21-e978-4fe4-af56-92c9416a2616  \n",
       "1     tool--afc079f3-c0ea-4096-b75d-3f05338b7f60  \n",
       "2     tool--b77b563c-34bb-4fb8-86a3-3694338f7b47  \n",
       "3     tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf  "
      ]
     },
     "execution_count": 93,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "relations_list = []\n",
    "for t in relationships:\n",
    "    relations_list.append(json.loads(t.serialize()))\n",
    "df = pandas.json_normalize(relations_list)\n",
    "df[0:4]"
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": "Python 3",
   "language": "python",
   "name": "python3"
  },
  "language_info": {
   "codemirror_mode": {
    "name": "ipython",
    "version": 3
   },
   "file_extension": ".py",
   "mimetype": "text/x-python",
   "name": "python",
   "nbconvert_exporter": "python",
   "pygments_lexer": "ipython3",
   "version": "3.8.5"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}
